Firewall Wizards: Re: syslog and network management

[Dave Piscitello <dave () corecom com>]

I think the goal here is "distancing log files from attack vectors".

If you are confident that an application does not create an exploitable 
path to your log server you could *in theory* run that application on 
the log server.
But, how you configure the system that hosts the log server "plus" 
applications is important, right? You could run a browser to configure 
certain firewalls from a log server. You probably want to be careful to 
not do so as admin, to block (public, Internet zone) browsing where 
you'd fall victim to a drive-by download.
You don't need much horsepower to collect logs, and you'll probably want 
to archive from the server, so you might consider the cost of investing 
for a log server only machine against the risk running more than just 
log service on a machine.
shadow floating wrote:
> thanks alot patrick, i was not actually asking about the centralized
> log server issue as i believe in it...but is it appropriate to add
> firewall and router management applications to be installed onto that
> server , like ciscoworks and the like?..or it's better to add another
> separate management machine in addition to the syslog machine from the
> security point of view
>
> thanks alot
>
> Nad
>
> On Feb 19, 2008 8:35 PM, Darden, Patrick S. <darden () armc org> wrote:
> > Having a centralized log server is actually definced as best
> > practice.  It is generally felt that it should only be
> > the log server though, all other services turned off,
> > firewall in place, etc. so it can be inviolate for all
> > auditing, legal procedures, security traces, etc.
> >
> > The case for centralized logging:
> > http://ebuzzsaw.com/whitePapers/Case_for_Centralize_Logging.htm
> >
> >
> >
> >
> > -----Original Message-----
> > From: firewall-wizards-bounces () listserv icsalabs com
> > [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
> > shadow floating
> > Sent: Tuesday, February 19, 2008 10:20 AM
> > To: Firewall Wizards Security Mailing List
> > Subject: [fw-wiz] syslog and network management
> >
> >
> > Hi all,
> > is it appropriate from security point of view to have one server in
> > which syslog is installed to colledt logs from all network devices
> > (firewalls, switches and routers), in addition to installing
> > management software to like ciscoworks on the same machine, in
> > addition to using this machine as a network time server to sync all
> > network devices?, if yes does any one recommed certain specs for this
> > machine or it can be an ordinary machine with 1 GB of memory and 512
> > GB hard disk and 3.2 GHz processor.
> >
> > thanks alot
> >
> > regards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: dave.vcf
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards