[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-sec
Subject:    RE: IPSEC usage to protect syslog
From:       Chris Lonvick <syslog-sec () employees ! org>
Date:       2000-08-22 16:27:52
[Download RAW message or body]

Hi Steven,

While I agree that common approaches are usually good, the concept
sometimes breaks down upon implementation.  This is especially true
if there are not enough similarities between the concepts.

As I wrote to you earlier, the services provided by IPsec may not
be applicable to the trust model for the deployment of syslog.  
IPsec only provides strong bi-directional device authentication.
It may be desirable to provide single-sided device authentication
for the easy deployment of syslog.  If that is so, then something
like TLS with the message-generator presenting a null certificate
may be more appropriate.  The message-receiver could present a
fully signed certificate to provide assurance to the message-
generator that it is indeed the intended recipient.  In this way,
a syslog server could be turned up with a signed certificate while
the syslog message generators may be turned up much more easily
without having to generate and sign certificates for each of them.
On the other hand, both sides may have authoritatively signed 
certificates to provide strong bi-directional device authentication 
if that meets the network security policy.  

As you note, this has not yet been discussed in the Syslog Working 
Group.  I would encourage this discussion to take place on the
mailing list there but I don't think that we need that to spill over
to the SNMPv3 or S-BGP lists.  When we define our trust model then
we should look to see what work has been done.  I will also say that
the similarities between the goals of the Syslog Working Group and
those of the Intrusion Detection Working Group are much more
similar.  Again, once we discuss our model, then we can see if the
Intrusion Alert Protocol will work for the conveyance of syslog
messages.  Also, as I've mentioned before, using BEEP as a transport
may also offer some benefits that we may want to discuss in the
syslog mailing list.

Thanks,
Chris

(I've changed my "reply to:" address to be the mailing list for the
Syslog Working Group.  If you wish to reply directly to me, please
address email to clonvick@cisco.com .)


At 10:20 AM 8/22/00 +0100, Waters, Stephen wrote:

>Having exchanged a few mails in the secure-BGP, SNMPv3 and syslog mailing
>lists recently, I would be interested in seeing a 'common' approach where
>possible. 
---remainder deleted for brevity---

[prev in list] [next in list] [prev in thread] [next in thread]