Herve Schauer wrote:
>
> In his/her message, Balazs Scheidler wrote:
> >From [EMAIL PROTECTED] Tue Jul 18 19:15:54 2000
> >Subject: Re: Updated Draft - Security Considerations comments solicited
>
> [Charset iso-8859-2 unsupported, skipping...]
>
> > 1 implement authentication, protection at the network layer (IPSec)
> > 2 implement authentication, protection at the transport layer (SSL, SSH)
> > 3 implement authentication, protection at the application layer, in our
> > protocol
>
> Logging is handling datas. We need integrity and authentication.
> So I think that the right place to implement authentication and protection
> is at the data layer. An XML data format and XML signatures is the obvious
Ok, i think theres a way to determine the above more precisely if we
answer
the question:
What are the minimal security features we would need/like if there is
independence of the underlying protocols?
I'd say, content security, that is: integrity, reliable delivery and
no replay of the transmitted data.
notice that the underlying protocols #1 and #2 CANT
(in a sense i'll explain below) provide integrity and no-replay.
data packets that fail the integrity checks are discarded, the contents
never get to the log files, the logfile auditor has to rely on
lower level tools (network stats, the transport layer logging
features,etc.)
to detect the problem.
the same applies to replayed data that an attacker could feed to the
receiving end of a logging device, it is discarded by IP stack or
the transport layer.
the privacy issue can be very well solved by the underlying transport
(SSH,SSL,IPsec,etc).
reliable delivery can be provided by the transport protocol (i.e. TCP)
the upper layer will know when the traffic has been disrupted.
mutual authentication can (or cant) also by accomplished with SSH,
SSL or IPSEC, provided that we define exactly what we want to
authenticate:
the source and destination host?
source, destination and all the hops in the patch of the data flow?
how about the source and destination syslog process?
and how about the id of the process that orignated the data?
-ivan
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : [EMAIL PROTECTED]
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================
--- For a personal reply use [EMAIL PROTECTED]
