[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auditing

To: sommerfeld@apollo.hp.com (Bill Sommerfeld)
Subject: Re: auditing
From: Dan.McDonald@Eng.sun.com (Dan McDonald)
Date: Wed, 2 Apr 1997 14:25:35 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <199704022147.QAA00458@thunk.ch.apollo.hp.com> from "Bill Sommerfeld" at Apr 2, 97 04:47:55 pm
Sender: owner-ipsec@ex.tis.com

I have to say that after some further thought, if you HAVE logging
facilities, you MUST audit.  This, I guess, puts me in violent agreement with
Bill.

I keep having this sinking feeling that there might be some class of attack
that can only get caught by auditing/logging.  Anyone care to comment on
this?

And speaking of Bill, he mentions...

> Of course, this means that outbound (and inbound) logging traffic
> needs to be treated the same way as key management traffic, bypassing
> any ipsec policy engine which might trigger the creation or use of a
> security association...

I'll insert a plug for draft-mcdonald-simple-ipsec-api-01.txt, which includes
such a BYPASS setting for privileged applications.

Dan

References:

Re: auditing

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: auditing
Next by Date: Re: auditing
Prev by thread: Re: auditing
Next by thread: Re: auditing
Index(es):
- Main
- Thread