Firewall Wizards mailing list archives
Re: logging questions
From: "Emiliano Kargieman (CORE)" <ek () securenetworks com>
Date: Mon, 27 Apr 1998 15:50:33 -0600 (MDT)
On Fri, 24 Apr 1998, Anonymous wrote: [something about a lot of firewalls logging remotely to 2 loghosts] [...]
Assuming that all of the firewalls are appropriately configured and that the loghosts are as trusted as anything on our network, Can we be reasonably sure that the logs have not been altered? We realize that we can make no claims about the logs from a given firewall after it is compromised. But we would like to ensure that the logs from BEFORE the firewall was compromised are accurate.
There are two cryptographic protocols designed to acomplish this (PEO-1 and VCR), i reccomend you take a look at http://www.core-sdi.com/ssyslog where you can find the papers describing the protocols and an implementation of syslog that uses PEO-1 to guarantee that the logs writen to disk before an intrussion weren't modified. Emiliano Kargieman
Current thread:
- logging questions Anonymous (Apr 24)
- Re: logging questions Emiliano Kargieman (CORE) (Apr 27)