Agreed. The way we are doing the binary logging is simply raising the
bar.
That is why I avoided the term "Tamperproof" and suggested that the
whole box would need analysis, not just the log files. Many other
factors of the OS with the MLS & MAC determine the overall authenticity
of the logs.
The main point is, of all the leading FWs I've seen, no one seems to be
taking similar extensive measures. Most of them are simple, editable
text logs. Anyone know of others that are NOT using text?
erik
_________________________________________________
Erik Elsasser System Engineering
CyberGuard Corporation Northeast Region
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ben Nagy
Sent: Wednesday, June 12, 2002 5:07 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: firewall logging
Importance: High
You tell me how the log auditing app verifies the logs and I'll tell you
how to subvert it. 8)
While it's true that it protects against naiive log tampering, the app
itself must be vulnerable to attack. Let's say, for the sake of
argument, that it stores, against each entry, a SHA hash of (logfile +
secret key) - yes that's a boring protocol and full of holes, but it
works on the surface, since I can't fake logs because I can't reproduce
the correct hash for my faked entry. In that faked up example, all I
need to do is dig around in the binary for the logger program, rip out
the key and away I go.
Cyberguard gets points for its MAC code, which would make it really
unlikely that an external attacker could ever get the right sort of
access to do that - but here the attacker is internal and has full
access to all the accounts on the box (plus physical access, if
necessary, and I know that Cyberguard can run on standard x86 boxes -
removing the disks and remounting them raw on the nearby linux box would
be an obvious way to evade all the B level security).
I'm sure that your mechanism is smarter than that, but I'm still
asserting that it's just a bigger hurdle.
Lots has been written about assembly/machine code obfuscation, and while
it's possible to make things hard it's impossible to make them
impossible.
Cheers,
--
Ben Nagy
Network Security Specialist
Mb: TBA PGP Key ID: 0x1A86E304
--
Firewalls mailing list - [ [EMAIL PROTECTED] ]
To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
