S 5.171 Secure communication with a centralised logging server
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Within the framework of centralised logging, the information of the monitored IT systems and applications is transmitted to a centralised logging server over the network in order to be collected, analysed, and stored. Since the logged data may also contain personal information, it must be protected against unauthorised access (reading, changing, or deleting).
In order to prevent logged data from being tapped or manipulated while it is transmitted to the centralised logging server, the data can be transmitted either encrypted or using a separate administration network (out-of-band). This way, the integrity and confidentiality of the log messages are increased as well.
Confidentiality for sensitive information
Some data sources generate log messages allowing for specific allocation to a person. Therefore, it is important to be able to ensure the confidentiality of logged data also during transmission, for example by protecting the connection with the help of SSL (see S 5.66 Use of TLS/SSL) or by encrypting the data. A separate administration network (out-of-band) may also be helpful regarding the protection of the data during transmission.
Integrity and completeness of the logged data
If logged information is to be used in connection with IT early warning and in the field of computer forensics, it is important that neither evidence for security incidents nor the validity of the collected information is lost. Furthermore, there should be an authentication between the logging server and the IT system delivering the logged data. This way, man-in-the-middle attacks can be made more difficult and the data is not accidentally sent to unauthorised bodies. Therefore, mechanisms for protecting the integrity and authenticity of the transmitted and stored information must be provided.
Logged data must be correct and complete. This is required both for the validity and from a technical point of view.
Since larger information systems often generate large amounts of logged data, it must be ensured that the bandwidth is sufficient in order to transmit the logged information and to prevent any loss of logged information caused by temporary bandwidth bottlenecks. It must also be ensured that the transmission of the logged data does not impair the transmission of the user data. The log messages can be transmitted using a separate administration network (out-of-band) instead of the actual data network (in-band). Depending on the protection requirements it should be considered whether it makes sense and is technically feasible to logically or physically separate the logged and the user data.
Examples for secure communication
The following safeguards demonstrate how the availability, integrity, and confidentiality can be ensured while logged data is being transmitted. The recommendations can be used both individually and in combination.
- Software agents:
Here, the software is installed on the system to be monitored. The software transmits the collected logged data to the centralised logging server in an encrypted manner. One essential advantage is that these monitored systems all work with the same logging standard and therefore a part of the normalisation process can be performed in a decentralised manner. As a prerequisite, it must be possible to install the agent software on the IT system which often is not possible for network elements such as routers or security gateways. - Layer 2 separation:
When using switches, it should be taken into consideration that VLANs (virtual local networks) were not developed to meet the security requirements for network separation. VLANs offer a large number of points of attack so additional safeguards must be implemented at all times, particularly regarding the separation of networks requiring protection. More detailed information on VLANs can be found in S 2.277 Functional description of a switch. - Layer 3 separation:
Routable components use the protocol on the 3rd layer of the OSI layer model to make decisions and are thus ideal switching elements. Additionally, it is possible to perform structured network separation using routers. However, the disadvantage is that a router normally shares the memory for processes, interface management, and the access lists, which could result in resource bottlenecks. Detailed routing such as sub-network separation, autonomous system routing, and the like may also be very complex regarding the administration. - VPN connection:
This variant lends itself for components with increased protection requirements with regard to confidentiality and integrity connected to a public network, for example. The IT systems must have inter-compatible mechanisms in order to be able to use VPNs. Alternatively, the IT systems can also be connected to VPN appliances establishing the encrypted connection. - Out-of-band management (administration network):
Within the framework of out-of-band management, a separate network is used for transmitting the logged data. Since this LAN is only available for logging and possibly for administration, access by attackers is made more difficult in the event of consistent network separation. Out-of-band management is normally more complex than other methods, because an additional network interface and an independent network infrastructure are required in the information system at the logging IT system. The administration network provides the advantage that protocols (particularly SNMP version 1) can be used that are deemed insecure but must be used due to a lack of available alternative solutions in order to monitor operation, by means of IT early-warning systems, for example.
Review questions:
- Is the logged data protected against unauthorised access?
- Is a secure transmission route provided for the logged information?
- Is there any authentication between the logging server and the IT system?
- Are mechanisms protecting the integrity and authenticity of the information being used?