Best place in network to put syslog server for DMZ hosts?

Solution 1:

This is actually a deceptively complex question. :) One of my favorites.

The question can be restated as "should a less trusted network be allowed access to a more trusted network, given that the only protocol is syslog"?

You need to weigh the cost / benefit of placing your syslog server on the inside. I'm personally a proponent of having the syslog server residing in the internal network - it's actually a rather high value asset.

The question then becomes the likelihood of an attack breaching specifically via the syslog daemon. If you think that your syslog server can be breached you want to isolate it from your admin network.

I personally think that a breach of a syslog server is pretty low in likelihood but there are a lot of ways of doing this with different combinations of hardware and software firewalls.

For example you could have your syslog server physically reside in the DMZ. From there iptables can allow syslog from any host both DMZ and your admin network and then restrict SSH and web access if required from only your admin segment.

Or you could have two separate DMZ subnets via your hardware firewall. DMZ1 -> DMZ2 <- Admin where DMZ2 contains your syslog server.

Solution 2:

Put the syslog server in the DMZ and allow polling connections (eg rsync) initiated from the admin network.

Log any SYN requests from the syslog server as it would be a clear indication of an intrusion attempt