Re: More Syslog Questions

["Bruce Smith" <bruce_the_loon () worldonline co za>]

Hi all

What about using a multicast address set for logging? That way you don't
have the problems with promiscuous
mode or switches. And IIRC, multicasts cross VLAN's while broadcasts don't,
allowing your log machines to
sit on their own VLANs in isolated, secure regions.

Serial, crossovers and so forth are good enough for local machines, but if
you can scatter your silent logs across
the entire network and protect them by using different locations, it adds
another barrel to the gun.

Ideas? Comments?

Bruce Smith



> > Since I started this post, I believe we came up with another solution,
but I
> > would still like your opinion.  Here it goes...
> >
> > Server 1 is connected to the main network.  Server 2 is connected to
Server
> > 1 using a cross over cable.  Server 2 listens in promiscuous mode.
> > Physically the servers are secure and the only way to access Server 2 is
> > through KVM over IP.
> >
> > Server 1 receives all syslog messages and (using IPTables with DNAT)
sends
> > the messages to any IP address since Server 2 is listening in
promiscuous
> > mode it should pick up all of the messages.  This does not allow anybody
to
> > compromise Server 1 and gain access to Server 2.
> >
> > How does that sound?
>
> I like the serial port idea better. :)
>
> There's also a way to make a "listen-only" RJ-45 cable, iirc.
>
> A.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards