ZoneRanger Makes SYSLOG Usable in Unsecured Areas of the Network

THE CHALLANGE

Logging system/device activity is a critical piece in maintaining a complex network infrastructure. The NOC relies on log messages for exception reporting and troubleshooting. The security group can use log information to “playback” what happened around a suspect incident.  Industry regulations such as Sarbanes Oxley can require that accurate logs be stored in a secure archive.

Syslog is a ubiquitous mechanism for logging system messages from a wide range of network devices and servers. For most devices syslog is available as soon as the device has booted. This lightweight common protocol doesn’t come without a few shortcomings. Syslog packets travel over UDP packets.  These plaintext messages pose a security risk and many companies don’t allow inbound UDP through a firewall. Leaving the syslog receiver open to all devices makes it vulnerable to a Denial of Service attack. Locking down the firewall to known devices with host rules requires manpower and adds to the firewall rule load.

THE ZONERANGER SOLUTION

Tavve’s ZoneRanger appliance makes syslog usable with devices in unsecured areas of the network. A single SSL encrypted TCP port in the firewall is used to pass syslog messages from the ZoneRanger to the syslog receiver. This shortens the unencrypted, unreliable path syslog messages must traverse to the single hop from the device to the ZoneRanger. Syslog messages are only forwarded for systems/devices the ZoneRanger is currently managing, eliminating traffic from nodes that might try a DOS attack. The ZoneRanger can filter syslog messages by source address, message header information and message string, reducing the amount of unimportant messages reaching the syslog processing system. Multiple forwarding rules can be configured so that messages can be forwarded to multiple syslog processors. One may be creating notifications based on message content, another used to log the messages for archiving. Syslog messages can be converted to SNMP traps for processing with trap receivers such as HP OpenView NNM on Windows.