Information Technology Reference
In-Depth Information
The above configuration will establish an encrypted connection among the various
transmission nodes. An alternative would be to use a
Syslog
replacement such as
Syslog-ng
, which performs relay operations automatically and with greater security
potentials.
From the practical standpoint, the methods described above offer a good compro-
mise between operational needs and the theory that a hash must be generated for
each log entry (something which is impossible in a distributed environment). The
objective still remains of achieving transaction atomicity (transactions are done or
undone completely) and log file reliability. The latter concept means being sure that
the log file does not get altered once it has been closed, for example via interception
during the log rotation phase. The most important aspect of this phase is the
final-
record message
, indicating the last record written in the log, which is then closed and
hashed. This sequence of processes may turn out to be critical when, after correla-
tion, a whole and trustworthy log has to be provided to the judicial authorities.
3 . 4
L o g T i m e S t a m p i n g M a n a g e m e n t : P r o b l e m s a n d P o s s i b l e
S o l u t i o n s
Another problem of a certain importance is managing log file time stamping. Each
report has to be 100% reliable, not only in terms of its integrity in the strict sense
(IP, ports, payloads, etc.), but also in terms of the date and time of the event reported.
Time stamping is essential for two reasons: atomicity of the report, and correlation.
The most common problems here are the lack of synchronization and the lack of
uniformity of the time zones.
The lack of synchronization occurs when the acquisition points (network sensors
and
Syslog
devices) are not synchronized with an atomic clock but only within small
groups. Reliance is usually placed on NTP in these cases, but this may open up a
series of noted vulnerabilities, especially in distributed architectures connected to the
public network. Furthermore, the use of NTP does not guarantee uniformity unless
a series of measures recommended by certain RFCs is adopted for certain types of
logs as we will describe below. Some technology manufacturers have come out with
appliances equipped with highly reliable processors that do time stamping for every
entry, synchronizing everything with atomic clocks distributed around the world.
This sort of solution, albeit offering a certain degree of reliability, increases design
costs and obviously makes management more complex. In a distributed architecture,
a time stamping scheme administered by an appliance is set up as in
Fig. 3
.
The appliance interacts with a PKI that authenticates the transaction nodes to pre-
vent the problem of report repudiation.
