fschmid at archenergy.com
Tue Jul 31 10:34:28 MDT 2001
"D. Stimits" wrote:
> Just a sample of separation. Not a good sample. But would you suggest
> that an exact copy of the cracked firewall is a good place to hold logs,
> when the cracked machine has a direct interface to it? I'm not talking
> about script kiddies, I'm talking about real crackers. FYI, I agree that
> there are a lot of holes in a lot of alternate schemes, and that
> complexity makes it easier for something to go wrong. But I'm equally
> convinced that a well secured RH 7.1 firewall, when compromised, can't
> log to another RH 7.1 firewall safely.
How about running BSD on the log recipient? Or just a significantly
different distro of Linux? That should make you feel better!
I see a much greater problem in reading the logs and interpreting them
regularly than it is to keep them in a safe place. Remote logging is
only a compliment to checking logs frequently, snort, tripwire, ...
Otherwise you have a detailed log of what happened 6 months ago when
your machine was first compromised.
More information about the LUG