You tell me how the log auditing app verifies the logs and I'll tell you how to subvert it. 8)
While it's true that it protects against naiive log tampering, the app itself must be vulnerable to attack. Let's say, for the sake of argument, that it stores, against each entry, a SHA hash of (logfile + secret key) - yes that's a boring protocol and full of holes, but it works on the surface, since I can't fake logs because I can't reproduce the correct hash for my faked entry. In that faked up example, all I need to do is dig around in the binary for the logger program, rip out the key and away I go. Cyberguard gets points for its MAC code, which would make it really unlikely that an external attacker could ever get the right sort of access to do that - but here the attacker is internal and has full access to all the accounts on the box (plus physical access, if necessary, and I know that Cyberguard can run on standard x86 boxes - removing the disks and remounting them raw on the nearby linux box would be an obvious way to evade all the B level security). I'm sure that your mechanism is smarter than that, but I'm still asserting that it's just a bigger hurdle. Lots has been written about assembly/machine code obfuscation, and while it's possible to make things hard it's impossible to make them impossible. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 5:27 AM > To: 'Ben Nagy'; [EMAIL PROTECTED] > Subject: RE: firewall logging > > > (I don't know that I want to post this on the list, since I'm > a lurking FW vendor, but pass it on if you deem it fit.) > > Just as an FYI, The CyberGuard Firewalls have a binary > encoded "Tamper-Evident" audit logging mechanism. It logs all > kernel/network activity on the box for forensic evidence. > > I have tried to tamper with them at a hex level and when it > runs into that section of the file, it warns of an "inconsistency". > > I suppose that if the need arose, you'd have to submit the > whole firewall for analysis, since the binary logs can only > be read and extracted directly on the firewall and not on any > other platform. Then there's that whole pesky chain of > custody stuff... > > Much of this design was due to the heritage CyberGuard has as > the first and only B1 rated firewall with B2 functionality builtin. > > I can explain more if you want. > > Regards, > Erik > _________________________________________________ > Erik Elsasser System Engineering > CyberGuard Corporation Northeast Region > 908.638.3185-Phone 908.638.3190-Fax > [EMAIL PROTECTED] www.cyberguard.com > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Ben Nagy > Sent: Tuesday, June 11, 2002 4:35 PM > To: [EMAIL PROTECTED] > Subject: RE: firewall logging > > > OK, I need to be more explicit. > > I assert that nobody can describe to me a system that I > cannot subvert for providing "signed" logs for use as > evidence _without_ using a trusted third party in some manner.[...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
