Syslog BoF - PowerPoint PPT Presentation

About This Presentation
Title:

Syslog BoF

Description:

An Attacker may view, delete, modify, or redirect syslog messages while in ... May 2000 Post as an Internet Draft the observed behavior of the Syslog protocol ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 15
Provided by: chrisl84
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Syslog BoF


1
Syslog BoF
  • 47th IETF - Adelaide
  • Chris Lonvick
  • clonvick_at_cisco.com

2
Agenda
  • Agenda bashing
  • Introduction and Level Setting -30 minutes
  • Definition, Use and History
  • Perceived Weaknesses
  • Goals of a Secure Syslog Working Group -20
    minutes
  • Proposed Charter and Subsequent Bashing
  • Proposed Deliverables, Timetable and Subsequent
    Bashing

3
Syslog Use
  • Event Notification
  • Common OS devices (e.g. Unix, Linux, NT, etc) and
    their applications
  • Routers
  • Switches
  • Firewalls
  • Printers
  • Thin clients

4
Generally Accepted Syslog Packet Contents
  • Facility Severity (required)
  • Time (usual)
  • Message (required)

5
Syslog Protocol
  • UDP/514
  • Stateless between the Client and Server
  • No authentication of sender nor reciprocal
    authentication of receiver
  • No acknowledgement of receipt
  • No coordinated timestamping
  • No standardized (or even suggested) message
    content or format

6
Syslog Protocol Potential Vulnerabilities (1)
  • An Attacker may transmit messages (either from
    the machine that the messages purport to be sent
    from, or from any other machine) to a server to
  • fill the disk or otherwise overwhelm the server
  • hide the true nature of an attack amidst many
    other messages
  • give false indications of events

7
Syslog Protocol Potential Vulnerabilities (2)
  • An Attacker may disable syslog message
    transmissions from a device to
  • hide an attack on, or the compromise of the
    device

8
Syslog Protocol Potential Vulnerabilities (3)
  • An Attacker may view, delete, modify, or redirect
    syslog messages while in transit to
  • hide activities
  • modify event times
  • insert fictitious events
  • determine the status of a machine/application

9
syslog References in RFCs
  • RFC 1060/1340/1700 Assigned numbers - J.K.
    Reynolds, J. Postel
  • RFC 1244/2196 Site Security Handbook - J.P.
    Holbrook, J.K. Reynolds / B. Fraser
  • RFC 1912 Common DNS Operational and
    Configuration Errors - D. Barr
  • RFC 1919 Classical versus Transparent IP Proxies
    - M. Chatel
  • RFC 2072 Router Renumbering Guide - H. Berkowitz
  • RFC 2179 Network Security For Trade Shows - A.
    Gwinn
  • RFC 2194 Review of Roaming Implementations - B.
    Aboba, J. Lu, J. Alsop, J. Ding, W. Wang
  • RFC 2669 DOCSIS Cable Device MIB Cable Device
    Management Information Base for DOCSIS compliant
    Cable Modems and Cable Modem Termination Systems
    - M. St. Johns, Ed.

10
Solvable Problems
  • Message Authentication
  • Message Integrity
  • Feedback mechanism for verifiable receipt
  • Confidentiality may be delivered through SSL/TLS
    or IPSec

11
Solutions Requirements
  • Focus on the protocol
  • Message content is outside the scope of this
    charter
  • Deployment must not interrupt the existing
    mechanism

12
Goals of a Secure Syslog Working Group
  • Proposed WG Charter

13
Description
  • Syslog is a de facto standard for logging system
    events. However, the protocol component of this
    event logging system has not been formerly
    documented. While the protocol has been very
    useful and scaleable, it has some known but
    undocumented security problems. For instance, the
    messages are unauthenticated and there is no
    mechanism to provide verified delivery and
    message integrity.
  • The goal of this working group is to document and
    address the security and integrity problems of
    the existing Syslog mechanism. In order to
    accomplish this task we will document the
    existing protocol. The working group will also
    explore and develop a standard to address the
    security problems.
  • Message authentication can be addressed in
    well-known ways using shared secrets or public
    keys. Because an important component of any
    solution will be the ease of transition from the
    existing mechanism, we will initially explore the
    use of shared secrets within the existing
    protocol with the intent of not impacting
    non-participants. Verifiable delivery, message
    integrity and authentication can also be explored
    in a tcp-based message delivery protocol.

14
Goals and Milestones
  • May 2000 Post as an Internet Draft the observed
    behavior of the Syslog protocol for consideration
    as a Standards Track RFC.
  • Jul 2000 Post as an Internet Draft the
    specification for an authenticated Syslog for
    consideration as a Standards Track RFC.
  • Aug 2000 Post as an Internet Draft the
    specification for an authenticated Syslog with
    verifiable delivery and message integrity for
    consideration as a Standards Track RFC.
  • Dec 2000 Revise drafts as necessary and advance
    these Internet Drafts to Standards Track RFCs.
Write a Comment
User Comments (0)
About PowerShow.com