Re: secure UNIX log server

From: Jason Baugher (jason@baugher.pike.il.us)
Date: 06/07/02 

From: Jason Baugher <jason@baugher.pike.il.us>
Date: Fri, 07 Jun 2002 19:38:30 GMT

Damian Menscher <menscher+security@uiuc.edu> wrote in
news:l4ZL8.12461$U7.144804@vixen.cso.uiuc.edu:

>
> Ah, but this is *not* TCP. Syslogs generally get sent to port
> 514/udp. UDP doesn't complete a 3-way handshake. While this means
> the communications aren't guaranteed to have succeeded, it does
> allow for the possibility of using a one-way ethernet cable. As
> for the cable, in CAT5 there are 4 pairs. For 10/100 usage, only
> two of those pairs are used (one for send, one for receive). So
> cutting the appropriate wires will result in a one-way network
> cable that can still receive syslog messages on port 514/udp.
>
> Of course, I think it might be simpler to just close all services
> to the machine and/or firewall it off.... The one-way cable idea
> is mainly for fanatics, as it prevents legitimate access (via ssh,
> for example, which would need the TCP handshake).
>
> Damian Menscher

Ooops, sorry about that, I should have known better than that.

At the same time, however, I can't see much purpose in having a machine
connected with a one-way cable. Yes, it would allow logging to a
"secure" machine, but you would have to actually go to the console to
ever view the logs, or to do anything else to the machine. You wouldn't
even be able to monitor it to make sure it was online. The OP said the
machine was physically secured, which means he doesn't have it sitting in
front of him to make sure it is running.

Sorry to sort of shift the subject, but this is really interesting to me.
Does anyone have a good example of a case where a one-way cable would
actually be the best solution? 

-- 
Jason Baugher 
Virtual Adept Professional Consulting Services
1406 Adams St.
Quincy, IL 62301
(217) 221-5406
http://baugher.pike.il.us/virtualadept
jason@baugher.pike.il.us

Relevant Pages

  • Re: secure UNIX log server
    ... Syslogs generally get sent to port ... UDP doesn't complete a 3-way handshake. ... > cable that can still receive syslog messages on port 514/udp. ... which would need the TCP handshake). ...
    (comp.security.unix)
  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • Re: How to tell if a firewall alert is suspicious or not
    ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ...
    (comp.security.firewalls)
  • Re: Suspecious DNS traffic
    ... Every UDP and TCP packet has two port numbers, ... source port number. ... send a UDP packet with source port 53 and with destination port ... For TCP and stub DNS resolvers, ...
    (comp.protocols.dns.bind)