Re: [Syslog] plain tcp syslog

Tue, 18 Oct 2005 05:43:02 -0700 

We have discussed the issue of a very-simple, non-BEEP based plain tcp
syslog several times on this list. The idea always has violently been
rejected.



Iff (if and only if) there will be a standard for syslog-over-tcp, I  
think it should do more then replace UDP by TCP.



Some years ago, we have studied this. And found that in environments  
where UDP  'will not do' a simple replacement will not suffice to.
E.g. We needed to be able to transfer log from a hostile, "unsafe"  
environment (e.g. the systems just before the firewall), to a safe  
place (behind the FW). UDP isn't an option;  nobody will accept such  
a DOS-hole. But for the same reasons, any TCP session from a possible  
hijacked host through  the FW is not a good idea.

So, we implemented a 'reverse, buffered' TCP syslog.


The idea: a (controlled, safe) host will start an (outward)  TCP  
session, fetching log from the 'unsafe' area. When there is no  
connections the host in the hostile environment will buffer log (for  
some time) in memory. The latter will give stat-up log. But also make  
sure the "log during an attack" (when possible some systems/ the FW  
are down/closed) can be saved (and studied later). The reverse-flow  
will make sure never a 'hijacked' host can send data through the FW.  
Sure, some loglines that can be faked. But the control of that  
session is full: only a secure host can start a session.



Note: For political reasons, the code is never put in production. (I  
have it laying somewhere, it is open ...). But it works.



I mention this example; to show replacing UDP by TCP is simple and  
will suffice. I think, there is need for a TCP version. Personally, I  
don't like BEEP, nor the syslog-over-BEEP option. But a don't like a  
simple TCP syslog nether.



Note: It just me.  But I'm not actively involved in syslog anymore.  
And will be offline for some time. So I can't discuses a follow up





--Groetjes
ALbert Mietus
    Send prive mail to:          ALbert at ons-huis dot net
    Send business mail to:  Albert dot Mietus at PTS dot nl
    Don't send spam mail!
http://albert.mietus.nl               http://albert.mietus.nl/read.IT


_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog






















					Reply via email to