Here are some comments:
Section 5.1:
Worse than malicious attacks, it's impossible to effectively use a syslog
collator.
Here at Counterpane, we provide a security monitoring service. Among the
things we watch is syslog. Some of our customers already send syslog
messages to a central collator, and it's trivial for that collator to send
them on to us. However, when this happens, the messages lose source
information. When we learn of a problem, we know that the problem comes
from the collator, but not the system that is actually having the problem.
This is far more serious a lack than the possibility of malicious exploit
-- even in a network where everyone is a friend we can't tell where a
problem is coming from!
Section 5.3:
"...since the underlying transport is UDP, some messages may be lost."
It's worse than that. Since the underlying transport is UDP, some messages
*will* be lost. And they will be lost often at the worst possible time. We
can't state what the rate of loss will be (and it is almost always very,
very small), but it is a fact of life that routers drop UDP messages first,
as do protocol stacks.
"...The possible consequences of the drop of one or more Syslog messages
cannot be easily determined."
Please strike the words "possible" and "easily." :-) Let's not mince words.
Be bold. From a security standpoint, UDP sucks.
Section 5.5
It's not clear that your objection is that syslog messages are unencrypted,
or that they're human-readable. I'm not worried about human-readable. If
they were binary but of a well-defined format (like SNMP traps), they'd
still be observable. On the other hand, there's a large can of worms with
encryption, too.
Jon
-----
Jon Callas [EMAIL PROTECTED]
Director of Engineering +1 (408) 556-2445 (voice)
Counterpane Internet Security +1 (408) 556-0889 (fax)
3031 Tisch Way, Suite 100 PGP: 42C6 AD1A 98B7 84B4 349E
San Jose CA 95128, USA 1528 EC0C ED80 D65E 3DFD
