1 / 14

Syslog BoF

Syslog BoF. 47th IETF - Adelaide Chris Lonvick clonvick@cisco.com. Agenda. Agenda bashing Introduction and Level Setting -30 minutes Definition, Use and History Perceived Weaknesses Goals of a Secure Syslog Working Group -20 minutes Proposed Charter and Subsequent Bashing

joyce
Download Presentation

Syslog BoF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Syslog BoF 47th IETF - Adelaide Chris Lonvick clonvick@cisco.com

  2. Agenda • Agenda bashing • Introduction and Level Setting -30 minutes • Definition, Use and History • Perceived Weaknesses • Goals of a Secure Syslog Working Group -20 minutes • Proposed Charter and Subsequent Bashing • Proposed Deliverables, Timetable and Subsequent Bashing

  3. Syslog Use • Event Notification • Common OS devices (e.g. Unix, Linux, NT, etc) and their applications • Routers • Switches • Firewalls • Printers • Thin clients

  4. Generally Accepted Syslog Packet Contents • Facility & Severity (required) • Time (usual) • Message (required)

  5. Syslog Protocol • UDP/514 • Stateless between the “Client” and “Server” • No authentication of sender nor reciprocal authentication of receiver • No acknowledgement of receipt • No coordinated timestamping • No standardized (or even suggested) message content or format

  6. Syslog Protocol Potential Vulnerabilities (1) • An Attacker may transmit messages (either from the machine that the messages purport to be sent from, or from any other machine) to a server to: • fill the disk or otherwise overwhelm the server • hide the true nature of an attack amidst many other messages • give false indications of events

  7. Syslog Protocol Potential Vulnerabilities (2) • An Attacker may disable syslog message transmissions from a device to • hide an attack on, or the compromise of the device

  8. Syslog Protocol Potential Vulnerabilities (3) • An Attacker may view, delete, modify, or redirect syslog messages while in transit to • hide activities • modify event times • insert fictitious events • determine the status of a machine/application

  9. syslog References in RFCs • RFC 1060/1340/1700 Assigned numbers - J.K. Reynolds, J. Postel • RFC 1244/2196 Site Security Handbook - J.P. Holbrook, J.K. Reynolds / B. Fraser • RFC 1912 Common DNS Operational and Configuration Errors - D. Barr • RFC 1919 Classical versus Transparent IP Proxies - M. Chatel • RFC 2072 Router Renumbering Guide - H. Berkowitz • RFC 2179 Network Security For Trade Shows - A. Gwinn • RFC 2194 Review of Roaming Implementations - B. Aboba, J. Lu, J. Alsop, J. Ding, W. Wang • RFC 2669 DOCSIS Cable Device MIB Cable Device Management Information Base for DOCSIS compliant Cable Modems and Cable Modem Termination Systems - M. St. Johns, Ed.

  10. Solvable Problems • Message Authentication • Message Integrity • Feedback mechanism for verifiable receipt • Confidentiality may be delivered through SSL/TLS or IPSec

  11. Solutions Requirements • Focus on the protocol • Message content is outside the scope of this charter • Deployment must not interrupt the existing mechanism

  12. Goals of a Secure Syslog Working Group Proposed WG Charter

  13. Description • Syslog is a de facto standard for logging system events. However, the protocol component of this event logging system has not been formerly documented. While the protocol has been very useful and scaleable, it has some known but undocumented security problems. For instance, the messages are unauthenticated and there is no mechanism to provide verified delivery and message integrity. • The goal of this working group is to document and address the security and integrity problems of the existing Syslog mechanism. In order to accomplish this task we will document the existing protocol. The working group will also explore and develop a standard to address the security problems. • Message authentication can be addressed in well-known ways using shared secrets or public keys. Because an important component of any solution will be the ease of transition from the existing mechanism, we will initially explore the use of shared secrets within the existing protocol with the intent of not impacting non-participants. Verifiable delivery, message integrity and authentication can also be explored in a tcp-based message delivery protocol.

  14. Goals and Milestones • May 2000 Post as an Internet Draft the observed behavior of the Syslog protocol for consideration as a Standards Track RFC. • Jul 2000 Post as an Internet Draft the specification for an authenticated Syslog for consideration as a Standards Track RFC. • Aug 2000 Post as an Internet Draft the specification for an authenticated Syslog with verifiable delivery and message integrity for consideration as a Standards Track RFC. • Dec 2000 Revise drafts as necessary and advance these Internet Drafts to Standards Track RFCs.

More Related