Firewall Wizards mailing list archives
logging questions
From: nobody () shinobi alias net (Anonymous)
Date: Fri, 24 Apr 1998 07:18:40 -0700 (PDT)
We are considering the following system for centralizing, archiving and authenticating firewall log files. Across the corporation we have m firewalls and 2 loghosts. Each loghost is in a different location and sits behind a packet filtering firewall. Each firewall would log to its local disk as well as to both log hosts. Logs will be encrypted across the wire but not on the local disk. At the end of each logging period (e.g. weekly) logs are collected from all 3 sources (loghost1, loghost2, firewall(i) local disk) compared to ensure no differences and written to an appropriate storage device (e.g. writeable CD-ROM). Assuming that all of the firewalls are appropriately configured and that the loghosts are as trusted as anything on our network, Can we be reasonably sure that the logs have not been altered? We realize that we can make no claims about the logs from a given firewall after it is compromised. But we would like to ensure that the logs from BEFORE the firewall was compromised are accurate. Is this a sound approach? anything we are overlooking or should take into account?
Current thread:
- logging questions Anonymous (Apr 24)
- Re: logging questions Emiliano Kargieman (CORE) (Apr 27)