You are the administrator at Certkiller Inc. and you need to checkout syslogs for information. How do you check syslog information to ensure that it has not been altered in transit?
A.
Packets use CRC to ensure data has not been altered in transit.
B.
Syslog has no checking to ensure that the packet contents have not been altered in transit.
C.
Host IDS inspects the packet to ensure time stamps are concurrent.
D.
The firewall inspects the packet to ensure time stamps are concurrent.
E.
IPSec inspects the packet to ensure time stamps are concurrent.
Explanation:
Logging-Syslog is also sent as cleartext between the managed device and the management host. Syslog has no packet-level integrity checking to ensure that the packet contents have not been altered in transit. An attacker may alter syslog data in order to confuse a network administrator during an attack. Where possible, syslog traffic may be encrypted within an IPSec tunnel in order to mitigate the chance of its being altered in transit. Where the syslog data cannot be encrypted within an IPSec tunnel because of cost or the capabilities of the device itself, the network administrator should note that there is a potential for the syslog data to be falsified by an attacker. When allowing syslog access from devices on the outside of a firewall, RFC 2827 filtering at the egress router should be implemented. This scenario will mitigate the chance of an attacker from outside the network spoofing the address of the managed device, and sending false syslog data to the management hosts. ACLs should also be implemented on the firewall in order to allow syslog data from only the managed devices themselves to reach the management hosts. This scenario prevents an attacker from sending large amounts of false syslog data to a management server in order to confuse the network administrator during an attack.
Syslog uses UDP port 514.
Reference:
Safe white papers;page 72
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks