On Tuesday, 18.01.2005 at 18:06 +0000, Robert Brockway wrote: > >We're doing the classic DMZ 'three-armed' network layout, nothing > >comes > > Ah good. > > >directly into GREEN; the DMZ will house the publically-accessible > >servers. > > Cool. > > >Oh, yes, I agree - by GREEN I mean the local private network of > >course. My use of 'outgoing' was misleading ... :-) > > Ah so you were asking about allowing udp/514 from the DMZ into the > internal GREEN network. Like all security decisions this is a risk > assessment. Actually, I was referring to logs from the firewall itself, but you've raised a question which I hadn't thought about: I need to consider what to do with logs from the DMZ machines too :-) > Overall I would not consider this a moderate risk given that you are > only allowing access from the DMZ but anything allowed to connect to > hosts on the GREEN network is potentially a hazard. Someone cracking > a box in the DMZ may feed bogus information to syslogd (no way around > that) or may try to DoS syslogd on the log host even if they can't > actually brake into the GREEN network. > > If you were really paranoid you could have a 4th leg with the log host > in it ;) Having thought about it, keeping a separate machine in the DMZ as a pure logging host might be a good compromise. No need for an additional interface, but no need to pinhole back into the GREEN network. Another alternative would be a host in GREEN which periodically connects to the DMZ machines (via SSH say) to pick up the logs, given that GREEN->DMZ will be permitted. Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature