Syslog BoF

1
Syslog BoF

• 47th IETF - Adelaide
• Chris Lonvick
• clonvick_at_cisco.com

2
Agenda

• Agenda bashing
• Introduction and Level Setting -30 minutes
• Definition, Use and History
• Perceived Weaknesses
• Goals of a Secure Syslog Working Group -20
  minutes
• Proposed Charter and Subsequent Bashing
• Proposed Deliverables, Timetable and Subsequent
  Bashing

3
Syslog Use

• Event Notification
• Common OS devices (e.g. Unix, Linux, NT, etc) and
  their applications
• Routers
• Switches
• Firewalls
• Printers
• Thin clients

4
Generally Accepted Syslog Packet Contents

• Facility Severity (required)
• Time (usual)
• Message (required)

5
Syslog Protocol

• UDP/514
• Stateless between the Client and Server
• No authentication of sender nor reciprocal
  authentication of receiver
• No acknowledgement of receipt
• No coordinated timestamping
• No standardized (or even suggested) message
  content or format

6
Syslog Protocol Potential Vulnerabilities (1)

• An Attacker may transmit messages (either from
  the machine that the messages purport to be sent
  from, or from any other machine) to a server to
• fill the disk or otherwise overwhelm the server
• hide the true nature of an attack amidst many
  other messages
• give false indications of events

7
Syslog Protocol Potential Vulnerabilities (2)

• An Attacker may disable syslog message
  transmissions from a device to
• hide an attack on, or the compromise of the
  device

8
Syslog Protocol Potential Vulnerabilities (3)

• An Attacker may view, delete, modify, or redirect
  syslog messages while in transit to
• hide activities
• modify event times
• insert fictitious events
• determine the status of a machine/application

9
syslog References in RFCs

• RFC 1060/1340/1700 Assigned numbers - J.K.
  Reynolds, J. Postel
• RFC 1244/2196 Site Security Handbook - J.P.
  Holbrook, J.K. Reynolds / B. Fraser
• RFC 1912 Common DNS Operational and
  Configuration Errors - D. Barr
• RFC 1919 Classical versus Transparent IP Proxies
  - M. Chatel
• RFC 2072 Router Renumbering Guide - H. Berkowitz
• RFC 2179 Network Security For Trade Shows - A.
  Gwinn
• RFC 2194 Review of Roaming Implementations - B.
  Aboba, J. Lu, J. Alsop, J. Ding, W. Wang
• RFC 2669 DOCSIS Cable Device MIB Cable Device
  Management Information Base for DOCSIS compliant
  Cable Modems and Cable Modem Termination Systems
  - M. St. Johns, Ed.

10
Solvable Problems

• Message Authentication
• Message Integrity
• Feedback mechanism for verifiable receipt
• Confidentiality may be delivered through SSL/TLS
  or IPSec

11
Solutions Requirements

• Focus on the protocol
• Message content is outside the scope of this
  charter
• Deployment must not interrupt the existing
  mechanism

12
Goals of a Secure Syslog Working Group

• Proposed WG Charter

13
Description

• Syslog is a de facto standard for logging system
  events. However, the protocol component of this
  event logging system has not been formerly
  documented. While the protocol has been very
  useful and scaleable, it has some known but
  undocumented security problems. For instance, the
  messages are unauthenticated and there is no
  mechanism to provide verified delivery and
  message integrity.
• The goal of this working group is to document and
  address the security and integrity problems of
  the existing Syslog mechanism. In order to
  accomplish this task we will document the
  existing protocol. The working group will also
  explore and develop a standard to address the
  security problems.
• Message authentication can be addressed in
  well-known ways using shared secrets or public
  keys. Because an important component of any
  solution will be the ease of transition from the
  existing mechanism, we will initially explore the
  use of shared secrets within the existing
  protocol with the intent of not impacting
  non-participants. Verifiable delivery, message
  integrity and authentication can also be explored
  in a tcp-based message delivery protocol.

14
Goals and Milestones

• May 2000 Post as an Internet Draft the observed
  behavior of the Syslog protocol for consideration
  as a Standards Track RFC.
• Jul 2000 Post as an Internet Draft the
  specification for an authenticated Syslog for
  consideration as a Standards Track RFC.
• Aug 2000 Post as an Internet Draft the
  specification for an authenticated Syslog with
  verifiable delivery and message integrity for
  consideration as a Standards Track RFC.
• Dec 2000 Revise drafts as necessary and advance
  these Internet Drafts to Standards Track RFCs.