What is priority security?
There is, no doubt, a myriad of opinions and theories on exactly “what”
system, mechanism, or practice should be 1st in the information security
defense strategy.
Let me propose this prioritized list:
A proper firewall perimeter
Central logging
Everything else
Why is central logging so important? Because it is perhaps the best
available host intrusion detection system, and the second best
audit trail (the first being a complete capture of all network data).
I believe that central logging is imperative for detecting anomalous
behavior, and it is quite probably the simplest and easiest method
to implement. After all, the most popular operating systems can
easily be configured to echo system logs to a remote logging host;
Unix/GNU/Linux/BSD, MacOS, and Windows.
The Central Logging Host
Usually, I prefer a dedicated GNU/Linux host to keep central logs
and use syslog-ng as a replacement for the native syslog daemon.
I won't go into the details of setting up syslog-ng, for there is
plenty of documentation for that. If you're not familiar, some
relevant links are below.
But, I do believe in one important concept for configuring
syslog-ng; a combined log. By having all of the systems on a
network writing to a single log, the entire network can be
watched for anomalous behavior.
Windows?
“Well,” you say, “that's fine and good for Unix/BSD variants,
but I do have some Windows boxes percolating around here
somewhere.” If that's the case, the utility snare can be used
to have Windows do remote logging to a syslog host. And,
if you insist on a commercial product instead of either
syslog-ng or snare, there are several fine products on the
market (including commercial versions of both syslog-ng
and snare).
Lastly;
Once you have a central logging host configured to keep
logs for all the systems on your network(s), what to do
next? Use the appropriate utilities for analyzing the log
data, which can be done real-time and on a routine basis.
For real-time analysis of log data, I'll typically use swatch
to trigger on suspicious behavior. And, there are quite a
few log analyzers to produce reports on the data.
You will also want to write the log data to some kind of
read-only media, such as a CD or DVD, not only for
archival auditing, but for future analysis as well.
So, that's the short version of why centralized logging
is key to information security. Very soon, I hope to be
adding more content.
Links
Configuring syslog-ng -
http://www.sun.com/bigadmin/features/articles/syslog_ng.html
http://www.linuxsecurity.com/content/view/117646/49/
http://www.oreilly.com/catalog/bssrvrlnx/
http://books.slashdot.org/article.pl?sid=03/05/29/1546209&mode=thread&tid=126&tid=172
Configuring snare -
www.giac.com/practical/GSEC/Joe_Malmberg_GSEC.pdf
http://www.intersectalliance.com/resources/Guide_to_SNARE_for_Windows.pdf
Using swatch
http://www.linuxsecurity.com/content/view/117281/50/
http://rootprompt.org/article.php3?article=449
http://www.oreilly.com/catalog/linuxss2/index.html
If you have any suggestions for this page, please
email me: mark AT altsec.info, replacing
the work AT with “@”, of course.
Copyright © 2005 Mark Stingley