Security Issues in Network Event Logging BOF (syslog) Wednesday, November 10 at 1530-1730 =================================== CHAIR: Alex Brown DESCRIPTION: Syslog is a defacto standard for network logging of system and network events, but it has never been treated as such by IETF. This WG would briefly describe existing BSD syslog in an informational RFC and proceed to recommend several levels of security mechanisms that could be applied to syslog daemon and client operation to meet various kinds and levels of threat. The WG would also discuss replacement of syslog with network logging systems that are (a) designed, and (b) designed to meet specific security threats with cryptographically strong protocols. AGENDA: UNIX syslog as de facto network event logging standard UNIX syslog origin as BSD local system event logging mechanism Extension to network logging by assignment of UDP port 514 Lack of recorded standard style documentation of syslog History of security defects in design and implementation Security analysis: local vs network threat model; low, medium, high risk environments Proposals Schneier (http://www.counterpane.com/secure-logs.html) Reed and Assange (http://cheops.anu.edu.au/~avalon/nsyslog.html) Torre (http://www.core-sdi.com/ssyslog) 3Com: simple filtering and authentication methods Others? Needed work Syslog description RFC (finally) Security recommendations for existing syslog Secure replacement for syslog Discuss IETF approach: New WG? Activity within existing WG? BOF outcome: WG formation? BOF records published?