> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Krumviede [...] > > I would have looked at using a simple HMAC with shared > secrets (or at > > least offering it as an option) to make things shorter and > easier on > > CPUs (but then I'm not an IETF s00perbrane - I'm sure they > didn't for > > a reason.)[...] > > there has been discussion of wanting to use syslog data for > "evidentiary" purposes, and that this would seem to require > signing, rather than use of some form of (keyed) MAC. there > is also the fun of key distribution for a keyed MAC.
Sneakernet? 8) Seriously, if we're talking about a protocol we can use on routers and other pieces of active hardware, they'll need to be configured manually at some stage. Modifications of the same devices would presumably need to be done in some manner that meets security policy requirements, so shared-secret modifications can be done at that stage. Yes, it's always vulnerable to a guessing attack, but the payoff is that there's no PKI operation. > but > there was, and i believe still is, interest in use of a MAC > as an alternative (but this is not (yet?) a working group item). I see the need for evidence quality data, but I can't see how incorporating signatures in that way would go any way towards making data more courtworthy. To cheat, I just fake the logs on my firewall, sign them (because I have the private keys on the firewall) and send them to my collector. I might be missing something profound here, but I can't think of a way to solve that problem without a trusted third party acting in some manner. Is there one? [...] > > If you want to get really simple, just run IPSec (or v6) > between your > > firewall and log receiver, run AH only, [...] > > as a side comment: > > there has been discussion of deprecating AH (use ESP with > authentication and one can use a null crypto-transform) on > the IPsec working group mailing list... and NAT traversal may > be possible. Good idea. AH has always been a crock, when you can just run ESP in tunnel mode. (Should have put it that way myself, but the AH only motif is easier to understand at a glance, and it was a throwaway point. Mea culpa 8) > -paul Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
