RE: [fw-wiz] websiite log transfers from exposed to internal nets:

• Previous message: Richard Threadgill: "Re: [fw-wiz] websiite log transfers from exposed to internal nets:"
• Maybe in reply to: R. DuFresne: "[fw-wiz] websiite log transfers from exposed to internal nets:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "R. DuFresne" <dufresne@sysinfo.com>, firewall-wizards <firewall-wizards@honor.icsalabs.com>
Date: Mon, 23 Jun 2003 03:26:50 -0400

Sorry to reply with a me-too, but you asked for confirmation.

Your view is not at all lopsided or skewed. You didn't even
say *doze, but the moderator did, so I won't feel out of line
for following suit. A policy that allows extra work or cost of
ownership as acceptable reasons for less security is lopsided.
If you were serious about these being the objections, the first
step is to better security is to review the policy.

Failing that, I would go with Paul's alternative of putting a
*nix box beside the *dozers to act as a transfer point. It's
still work, but the material cost is surplus parts and open
source licenses. If they balk at the cost of another box, you
really only need a 486 with minimal ram, little hard drive
space for the system itself, but large enough for the logs you
want to transfer. No gui, no keyboard, no mouse, no monitor,
no access to anywhere, no access from anywhere except ssh from
the *doze boxes and the internal *nix box. If cost of licensing
really is an issue (but they chose a commercial server platform,
so why nitpick about the cost of securing it), well known and
widely used free scp clients are available for win32.

It's a safer bet than opening yet another port on a *doze box
and entrusting ssh server administration to administrators who
see it as extra work.

Devdas suggested encrypting the logs with GnuPG and mailing them.
I've done this to tranfer logs from *nix to *nix to avoid setting
up automated ssh logins between two boxes that already accepted
mail from each other but had no other need to open ssh to each
other. I would avoid adding mail to the *doze servers if no other
reason exists for the servers to have mail clients, but it does
eliminate the need for leaving ssh keys or passwords on publicly
accessible boxes. Either method raises a risk.

LB

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Richard Threadgill: "Re: [fw-wiz] websiite log transfers from exposed to internal nets:"
• Maybe in reply to: R. DuFresne: "[fw-wiz] websiite log transfers from exposed to internal nets:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]