Re: Secure Syslog

[Richard Welty <rwelty@averillpark.net>]

On Fri, 6 Dec 2002 18:09:08 +1100 Craig Hammond <Craig@sbisolutions.com.au> wrote:

> It is as good as it sounds, or a load of crap ???????????

> San Diego Supercomputer Center has released Secure Syslog
... According to their
> announcement, it is the first syslog implementation to target
> "syslog-reliable" (RFC 3195 <http://www.ietf.org/rfc/rfc3195.txt> )
> functionality and it is the first syslog targeted at very high
> performance and forensically-sound auditing

it's not clear if it's really first, and noone has enough experience with
it to know how solid it is.

syslog-reliable itself is an interesting and controverisal protocol,
primarily because it is one of the first protocols that depends on BEEP,
itself an interesting and controversial protocol. BEEP is a multiplexing
protocol overlaid on TCP, and somewhat complicated. there are also some
potential security concerns that need to be studied.

> It's currently under the UC's "free for non-commercial use" license, but
> they are looking at moving to a completely open license (BSD-style
> licensing was mentioned)

BSD licensing would be cool, and in that case a port would be interesting.

syslog-sign is potentially of more interest to the community. it sticks
with UDP, for better or worse, but provides some tools for improving
comfort levels with syslog messages (that is, authenticating their source
and detecting when messages have been tampered with or been dropped.)
syslog-sign isn't as far along the standards track as syslog-reliable,
but it may penetrate faster once it's done.

richard
--
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security