On Tue, 26 Aug 1997, Jyri Kaljundi wrote:
> Arjan Vos <arjan @
> > > 2. If off the firewall, how do we get them off? Protocols?
> > >
> > You can use syslog messages to send logging to some log host within you
> > internal network.
> How secure and reliable is this? I mean in case of high load when you want
> to log all network traffic, is it sure that syslog will receive all of the
> packets and not drop any of them? I have not tested how much traffic
> syslogd can receive, but it does not seem the most reliable piece of
> software, may be I am mistaken.
You are right. UDP is unreliable in the first place. But regarding the
firewall configurations, I haven't seen installations where syslog
couldn't keep up with the pace (yet). Maybe you could set up a
special network interface just for syslog messages to go out to some log
host, creating a dedicated 10 Mb/s pipe (or 100 Mb/s).
On the other hand, if you want to log all network traffic then I don't
think syslog is the way to go, but you should use something like tcpdump.
And if you want that output sent to another host, well, you might be in
trouble then if you haven't got Gigabit networking :-)).
What you can do putting a pentium PC on the line, e.g. with Linux. All it
does is monitoring the traffic with tcpdump and having it piped through
tcpshow. The output is then parsed through some "intelligent
filter" which can identify suspect packets and send appropriate
reports/alerts with syslog. Mmmm... I'm drifting off...we're back at
where we started.... Maybe if you can setup something without an
IP address, a potential attacker might not discover that PC at all.
Wear glasses if you need them