Re: [fw-wiz] syslog and network management

Nad,

You seemed to be asking 3 questions:

1. Is it a good idea to have a centralized log server for a plethora of devices and servers? My answer is yes--it is considered best practice.
2. Is it a good idea to have other server services like NTP on the box? My answer is no. You should turn off all services that aren't absolutely necessary for reasons of security. Most servers I would say sure--go ahead. But one of the main reasons for having a centralized log server is for security. Put a firewall on that box. Turn off extra services. Keep it locked up tight. You will be happy when you have to consult it for a routine audit, happier when HR or Admin needs to know something for sure, and even happier when the FBI or whomever shows up with a warrant or a court order.
3. Performance-wise, is there anything special needed? Not really. It depends on the size of the network, number of devices, how much detail you are recording, etc. What you describe is a good basis for starting. Proably the three best things you could do would be: dual core cpu (any decent ghz), a great NIC (or two, lots of udp bursts from syslog), and lots of storage (you would want to keep at least 1 year in local drive space).

--Patrick Darden
--ARMC


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
shadow floating
Sent: Tuesday, February 19, 2008 3:52 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] syslog and network management


thanks alot patrick, i was not actually asking about the centralized
log server issue as i believe in it...but is it appropriate to add
firewall and router management applications to be installed onto that
server , like ciscoworks and the like?..or it's better to add another
separate management machine in addition to the syslog machine from the
security point of view

thanks alot

Nad

On Feb 19, 2008 8:35 PM, Darden, Patrick S. <darden@xxxxxxxx> wrote:

Having a centralized log server is actually definced as best
practice. It is generally felt that it should only be
the log server though, all other services turned off,
firewall in place, etc. so it can be inviolate for all
auditing, legal procedures, security traces, etc.

The case for centralized logging:
http://ebuzzsaw.com/whitePapers/Case_for_Centralize_Logging.htm




-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
shadow floating
Sent: Tuesday, February 19, 2008 10:20 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] syslog and network management


Hi all,
is it appropriate from security point of view to have one server in
which syslog is installed to colledt logs from all network devices
(firewalls, switches and routers), in addition to installing
management software to like ciscoworks on the same machine, in
addition to using this machine as a network time server to sync all
network devices?, if yes does any one recommed certain specs for this
machine or it can be an ordinary machine with 1 GB of memory and 512
GB hard disk and 3.2 GHz processor.

thanks alot

regards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] syslog and network management
    ... Having a centralized log server is actually definced as best ... , in addition to installing ... network devices?, if yes does any one recommed certain specs for this ...
    (Firewall-Wizards)
  • Re: [fw-wiz] syslog and network management
    ... If you are confident that an application does not create an exploitable path to your log server you could *in theory* run that application on the log server. ... auditing, legal procedures, security traces, etc. ... , in addition to installing ... network devices?, if yes does any one recommed certain specs for this ...
    (Firewall-Wizards)