Firewall Wizards mailing list archives

Re: More Syslog Questions

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 20 Jul 2004 01:58:09 +0530

On 19/07/04 08:10 -0500, Nathaniel Hall wrote:
<snip>

Server 1 is connected to the main network.  Server 2 is connected to Server
1 using a cross over cable.  Server 2 listens in promiscuous mode.
Physically the servers are secure and the only way to access Server 2 is
through KVM over IP.


A more commonly proposed solution is to send the logs to server 1 and 
have server 2 on a spanned/mirrored port on the same switch. Server 2 
has no IP address on the network interface attached to the switch. Grab 
port 514/UDP traffic and dump to disk.

Server 2 has a separate physical interface which can be reached from a
different management subnet.

IMHO, a server with a variant of syslogd listening on all ports and ssh
only from a single host should be good enough. If the host has two
physical interfaces, put them on two physically separate networks and
have sshd listen only on the management interface.

This protects you from everything except a syslogd exploit.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: More Syslog Questions, (continued)
- Re: More Syslog Questions Devdas Bhagat (Jul 19)
  - Re: More Syslog Questions Marcus J. Ranum (Jul 19)
    - Re: More Syslog Questions Brian Hatch (Jul 19)
    - Re: More Syslog Questions Henning Brauer (Jul 20)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- More Syslog Questions Nathaniel Hall (Jul 19)
  - Re: More Syslog Questions The Anarcat (Jul 19)
    - Re: More Syslog Questions Bruce Smith (Jul 19)
  - Re: More Syslog Questions Marcus J. Ranum (Jul 19)
  - Re: More Syslog Questions Chuck Swiger (Jul 19)
  - Re: More Syslog Questions Devdas Bhagat (Jul 19)
- Re: More Syslog Questions iarenaza (Jul 19)