Security Issues in Network Event Logging BOF (syslog)

Wednesday, November 10 at 1530-1730
===================================

CHAIR: Alex Brown <abrown@3com-ne.com> 

DESCRIPTION:

Syslog is a defacto standard for network logging of system and network
events, but it has never been treated as such by IETF. This WG would
briefly describe existing BSD syslog in an informational RFC and
proceed to recommend several levels of security mechanisms that could
be applied to syslog daemon and client operation to meet various kinds
and levels of threat. The WG would also discuss replacement of syslog
with network logging systems that are (a) designed, and (b) designed
to meet specific security threats with cryptographically strong
protocols.

AGENDA:

UNIX syslog as de facto network event logging standard
UNIX syslog origin as BSD local system event logging mechanism
Extension to network logging by assignment of UDP port 514
Lack of recorded standard style documentation of syslog
History of security defects in design and implementation
Security analysis: local vs network threat model; low, medium, high

risk environments
 Proposals
   Schneier (http://www.counterpane.com/secure-logs.html)
   Reed and Assange (http://cheops.anu.edu.au/~avalon/nsyslog.html)
   Torre (http://www.core-sdi.com/ssyslog)
   3Com: simple filtering and authentication methods
   Others?
 Needed work
   Syslog description RFC (finally)
   Security recommendations for existing syslog
   Secure replacement for syslog
 Discuss IETF approach: New WG? Activity within existing WG?
 BOF outcome:
   WG formation?
   BOF records published?