Information Technology Reference
In-Depth Information
F
IG
. 3. Log architecture with time stamping machine.
While this type of architecture may be “easily” implemented in an environment
with a healthy budget, there are applications for less extensive architectures that may
be helpful in guaranteeing a minimum of compliance with best practices.
Granted that one of the most commonly used log format is
Libpcap
-compatible
(used by TcpDump, Ethereal) over TCP connections (hence 3-way), it is possible to
attribute a further level of timestamping, as per RFCs 1072 and 2018, by enabling
the Sack OK option (Selective Acknowledgement OK). This option can return even
a 32 bit time stamp value in the first 4 bytes of each packet, so that reports among
transaction nodes with the Sack OK option enabled are synchronized and can be cor-
related. This approach may be effective provided that the entire system and network
is set up for it.
Another factor that is not taken into consideration are
Time Zones
(
TZ
). In dis-
tributed architectures on the international scale, some information security managers
believe it is wise to maintain the time zone of the physical location of the system or
network object. This choice has the disadvantage of making correlation more com-
plicated and less effective because of time zone fragmentation. We are currently
witnessing an increase of times zones being simply based on GMT, which has the
plus of simplifying management even though it still requires that the choice be in-
corporated into a policy.
