I agree with this assessment up to a point. For most of us security is
about balancing risk, technology and financial constraints.
The log data that ossec moves generally does no contain the keys to the
store but would be useful in helping a bad guy case the joint. To use
the log data to compromise your network, they would have to be a chain
of other security failures. If the network you are protecting serves up
dental records for a neighborhood clinic, OSSEC is probably going to
meet or exceed your requirements. If the network is a federal reserve
bank, you are going to have to wrap it inside some more robust
cryptographic and operational controls.
On 12/20/2010 06:39 PM, Michael Starks wrote:
On 12/20/2010 12:54 PM, Jarred White wrote:
Hello. I’m trying to find a way to remotely deploy OSSEC to some of our
remote sites and have it report back to us on server health/security.
There is no direct connection to the remote network, so any reporting
would need to happen over the Internet since VPN is out of the question.
As other have noted, OSSEC encrypts all communications symmetrically
with Blowfish. Each client has a unique key, so if one is compromised,
your entire infrastructure is not at risk.
Additionally, since OSSEC uses UDP, and UDP is vulnerable to replay
attacks (even while encrypted), a counter is added to prevent any
replay of captured traffic. OSSEC will, by default, drop any packets
with a duplicate counter.
There may also be a random pad used for keep-alive messages..I am not
entirely sure about that.
Finally, also by default, OSSEC will restrict by source IP, so that
also makes it difficult to inject traffic.
I think you'll find that these protections are pretty much
state-of-the-art when it comes to log transport. I don't think you'll
find better in many other products, open source or commercial.
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
