Re: Questions on Sysloging with a DMZ
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jun 14, 2002 at 10:13:09AM -0400, Mike Dresser wrote:
> I've done some looking around on the web, and haven't really found an
> answer to the following question.
>
> How do you securely handle syslogging when you have servers in the DMZ,
> and then the servers that are inside on the internal network? Seems that
> the fundamental rule is never allow internal lan access from an external
> or dmz host. But if that rule is followed, that means the syslog server
> ends up in the DMZ, and that seems just as wrong.
>
> Dual firewall setup:
>
> Internet -- Firewall1 -- Firewall2 -- LAN
> |
> DMZ (connected to NIC on firewall1)
>
> Lets say I have 4 servers in the DMZ, and 3 on the lan. Do I build two
> syslog servers, one attached to each network?
>
> I was thinking of using a digiboard on the syslog machine, and connecting
> a serial link to each server. However, that doesn't help me on stuff like
> cisco's and jetdirect boxes that can only output syslog over ethernet.
>
> I was also considering maintenance, if I used serial links over another
> digiboard plugged into a secured internal lan machine, that would remove
> the requirement for ssh on the servers, just login to the maintenance
> machine, and then connect to the appropriate server via the serial link.
> Make sense/practical/secure?
>
> And one last question. It's generally considered ok to go from internal
> lan to DMZ server with limited access, correct? Like say my internal mail
> server polling the DMZ mail server for mail. Or alternatively, the APC
> network card notifying servers inside and outside the dmz that the
> batteries are almost dead, shut down.
>
> Ideas/comments/flames/amazon.com_links_to_RTFM?
For what it's worth, we keep 1 syslog server in our DMZ with a very tight
configuration (we also have another syslog server in our internal lan). The
only listening service is syslog and even that is limited to our servers. A
better solution would be to use ipsec / freeswan, but I have yet to learn
that.
good luck,
donfede
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9ChFeSeRbV/op2s4RAiqeAJ4g7B9GH/vKdqzwJyJuxP9el35jygCfRwDJ
Ek2LXluo0VsBIt201tgMOhY=
=AH+q
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: