Re: Questions on Sysloging with a DMZ

To: Mike Dresser <mdresser@windsormachine.com>
Cc: debian-security@lists.debian.org
Subject: Re: Questions on Sysloging with a DMZ
From: Federico Grau <grauf@rfa.org>
Date: Fri, 14 Jun 2002 11:53:03 -0400
Message-id: <[🔎] 20020614115302.F455@rfa.org>
In-reply-to: <[🔎] Pine.LNX.4.33.0206141012160.14417-100000@router.windsormachine.com>; from mdresser@windsormachine.com on Fri, Jun 14, 2002 at 10:13:09AM -0400
References: <[🔎] Pine.LNX.4.33.0206141012160.14417-100000@router.windsormachine.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 14, 2002 at 10:13:09AM -0400, Mike Dresser wrote:
> I've done some looking around on the web, and haven't really found an
> answer to the following question.
> 
> How do you securely handle syslogging when you have servers in the DMZ,
> and then the servers that are inside on the internal network?  Seems that
> the fundamental rule is never allow internal lan access from an external
> or dmz host.  But if that rule is followed, that means the syslog server
> ends up in the DMZ, and that seems just as wrong.
> 
> Dual firewall setup:
> 
> Internet -- Firewall1 -- Firewall2 -- LAN
>                 |
>                 DMZ (connected to NIC on firewall1)
> 
> Lets say I have 4 servers in the DMZ, and 3 on the lan.  Do I build two
> syslog servers, one attached to each network?
> 
> I was thinking of using a digiboard on the syslog machine, and connecting
> a serial link to each server.  However, that doesn't help me on stuff like
> cisco's and jetdirect boxes that can only output syslog over ethernet.
> 
> I was also considering maintenance, if I used serial links over another
> digiboard plugged into a secured internal lan machine, that would remove
> the requirement for ssh on the servers, just login to the maintenance
> machine, and then connect to the appropriate server via the serial link.
> Make sense/practical/secure?
> 
> And one last question.  It's generally considered ok to go from internal
> lan to DMZ server with limited access, correct?  Like say my internal mail
> server polling the DMZ mail server for mail.  Or alternatively, the APC
> network card notifying servers inside and outside the dmz that the
> batteries are almost dead, shut down.
> 
> Ideas/comments/flames/amazon.com_links_to_RTFM?

For what it's worth, we keep 1 syslog server in our DMZ with a very tight
configuration (we also have another syslog server in our internal lan).  The
only listening service is syslog and even that is limited to our servers.  A
better solution would be to use ipsec / freeswan, but I have yet to learn
that.

good luck,
donfede
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ChFeSeRbV/op2s4RAiqeAJ4g7B9GH/vKdqzwJyJuxP9el35jygCfRwDJ
Ek2LXluo0VsBIt201tgMOhY=
=AH+q
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Questions on Sysloging with a DMZ
  - From: Mike Dresser <mdresser@windsormachine.com>

Prev by Date: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Next by Date: Re: Quality of security assurance with Debian vs. RedHat vs. SuSE
Previous by thread: Questions on Sysloging with a DMZ
Next by thread: Re: Questions on Sysloging with a DMZ
Index(es):
- Date
- Thread