> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Ron DuFresne > Sent: Wednesday, June 12, 2002 8:40 AM > To: Marc E. Mandel > Cc: [EMAIL PROTECTED] > Subject: RE: firewall logging > > > On Tue, 11 Jun 2002, Marc E. Mandel wrote: > > > In response to Ron DuFresne: > > Baltimore's UniCERT product
[will make you breakfast, wash your car and still have time to broker a peace deal between India and Pakistan] [...] > > The only way that I know to prove that the log entry is > > original, would be > > to sign it as part of its creation. The public key infrastructure > > (PKI) software to accomplish this exists. It would be > > ideal to have > > it signed via an API call from within the firewall's logging code. Warning - impending rant... I think this highlights one of the big myths of PKI. Signing things proves exactly ONE thing - that they were signed by someone/thing who knew the corresponding private key to whatever public key the signature is verified against. That's all. It doesn't prove "originality", "authenticity" or any of that other fluff that vendors like to talk about. If your private key is compromised, you lose. If someone out there decides that they'll sign people's digital IDs for five bucks as long as they pass the "scout's honour" ID test, you lose. When someone copies the "Private Key, Do Not Copy" file from your firewall then they can sign logs just as convincingly as your Secure Signing API. Let me give you a scenario. I, Unlucky Ben, have just left XYZCorp after a disagreement with my manager. Said manager, Evil Bill, decides to have the last word. Having access to all the servers, Evil Bill extracts the private key from the Baltimore UniCERT server, just as it is in the process of whipping up another ham omlette. Armed with the private key, Evil Bill fakes up firewall logs showing me logging in via VPN to the firewall, accessing one of the servers and defacing the XYZCorp website with pictures of camels in sexual congress. Signing the logs with the private key, Evil Bill (who seems to know a lot about this sort of stuff for a manager) then replaces yesterdays logs on the collector with the new, signed logs, calls the FBI and off I go (apparently) to jail, where a large man called Susan wants to be my special friend. Unlucky. I'll put all this more simpy - every scheme to provide "authenticated" logs needs to use something secret. If it's onsite, then the secret isn't safe, and the logs just can't be trusted by an outsider. Sure, they're better than random logs in text, but if I were trying to prove beyond reasonable doubt (if that's still required in the US - lucky I'm not from the middle east... ;) that something happened based only on my logs, then I really should have major problems. (I don't want to get into the legal side of all this, since it's US centric, boring and time has shown that opinions from actual real life lawyers almost never turn up.) Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
