-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jun 14, 2002 at 10:13:09AM -0400, Mike Dresser wrote: > I've done some looking around on the web, and haven't really found an > answer to the following question. > > How do you securely handle syslogging when you have servers in the DMZ, > and then the servers that are inside on the internal network? Seems that > the fundamental rule is never allow internal lan access from an external > or dmz host. But if that rule is followed, that means the syslog server > ends up in the DMZ, and that seems just as wrong. > > Dual firewall setup: > > Internet -- Firewall1 -- Firewall2 -- LAN > | > DMZ (connected to NIC on firewall1) > > Lets say I have 4 servers in the DMZ, and 3 on the lan. Do I build two > syslog servers, one attached to each network? > > I was thinking of using a digiboard on the syslog machine, and connecting > a serial link to each server. However, that doesn't help me on stuff like > cisco's and jetdirect boxes that can only output syslog over ethernet. > > I was also considering maintenance, if I used serial links over another > digiboard plugged into a secured internal lan machine, that would remove > the requirement for ssh on the servers, just login to the maintenance > machine, and then connect to the appropriate server via the serial link. > Make sense/practical/secure? > > And one last question. It's generally considered ok to go from internal > lan to DMZ server with limited access, correct? Like say my internal mail > server polling the DMZ mail server for mail. Or alternatively, the APC > network card notifying servers inside and outside the dmz that the > batteries are almost dead, shut down. > > Ideas/comments/flames/amazon.com_links_to_RTFM?
For what it's worth, we keep 1 syslog server in our DMZ with a very tight configuration (we also have another syslog server in our internal lan). The only listening service is syslog and even that is limited to our servers. A better solution would be to use ipsec / freeswan, but I have yet to learn that. good luck, donfede -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9ChFeSeRbV/op2s4RAiqeAJ4g7B9GH/vKdqzwJyJuxP9el35jygCfRwDJ Ek2LXluo0VsBIt201tgMOhY= =AH+q -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
