T 5.176 Compromising the logged data transmission during centralised logging

If the logged data is stored centrally, the recorded information is transmitted to the logging server where it is processed and analysed. The transmitted logging events may contain personal information such as user names that can be assigned to a specific person. If the logged data is transmitted using insecure and unencrypted transmission routes, it may be tapped or manipulated.

Exploitation of in-band connections

If IT systems are operated in an insecure network, the systems are most likely exposed to attacks from the network. A packet filter in a security gateway positioned between the public network and the Application Level Gateway is an example. If logged information of the packet filter is to be sent to a centralised logging server, a data connection to the centralised logging server using the Application Level Gateway and possibly using further systems is required (in-band). This connection option could also be used by an attacker, because externally initiated connections into the internal networks constitute a vulnerability. Within the framework of an out-of-band connection, these problems do not occur, because the logged data is transported within a proprietary, closed network. However, this is significantly more complex. A separate network infrastructure must be established and another network must be administered. Furthermore, the possible damage may be severe if an attacker managed to compromise the out-of-band network.

Compromising the centralised logging server

If a centralised logging server not positioned in a separate administration network is compromised, it facilitates attacks to further components due to its central location. Since the server must be available both to IT systems upstream and downstream of the security gateway, it provides the attacker with the opportunity to bypass the security gateway of an information system. This way, the data traffic between the email server and the logging server could be recorded with the help of a network analysis tool and possible personal data may be read, for example. Moreover, an attacker can read and manipulate logged data.

Manipulated logged data

If an attacker manipulates logged data, its integrity and completeness are challenged and its validity and reliability are no longer guaranteed. Manipulated log messages may cause dramatic problems even regarding an IT early-warning system if only an incomplete picture of the situation can be generated causing attacks to IT systems or applications to remain unnoticed, for example. One reason for incomplete logged data may be the use of network protocols such as the User Datagram Protocol (UDP) which do not provide any mechanisms for checking whether all packets were transmitted completely.

Bandwidth bottlenecks

Due to the large amount of logged data transmitted through the network in addition to the user data, bandwidth bottlenecks may result in the transmission of the log messages impairing the transmission of the user data. Furthermore, bandwidth bottlenecks may cause log information to be forwarded in a delayed manner or to be lost entirely. In an IT early-warning system, this may cause dramatic problems, because an overall picture of the information system can only be generated through the sum of the individual partial information of the different IT systems.

Example:

• While planning the use of a centralised logging server, it was decided that the logged data is to be transmitted using a network interface (in-band). The messages are transmitted through the network in an encrypted manner due to the log messages being tunnelled via SSL. However, tunnelling causes a security gap in the security gateway an attacker may use in order to penetrate the internal network.
• The logged data is transmitted from the different IT systems to the centralised logging server by using the syslog protocol sending the messages via UDP protocol without any connection establishment. Some log messages are lost due to a temporary bandwidth bottleneck. Since no additional mechanisms are used in order to guarantee that all data packets arrive at the destination, a short web server failure is not noticed.
• For years, both the user and the logged data are transferred using one and the same network interface (in-band) within the information system of a medium-sized company. Due to increased utilisations and a lack of caches, relevant logged data was again and again deleted in favour of higher priority user data during the past months. This resulted in the failure of a file server being detected too late which is why operations had to be suspended for an entire day.