Syslog for HIPAA and SOX Compliance


Many of the recent legislative standards (HIPAA, SOX, etc) being forced upon network operations attempt, at least in theory, to make their environment easier to maintain and control. Unfortunately sometimes these requirements actually make things more difficult because of the limitations in some networking components and protocols.

One specific requirement that appears to be straightforward is the widely adopted practice to retain a database of system-generated messages or syslog repository. The idea behind the database is for the company to maintain a six month record of everything happening within their network. Not only should the company be storing this information, but it should also regularly compare the local messages with the centralized server to ensure that nothing is getting missed during the natural course of business. The additional configuration and potential security issues a centralized database creates can make it difficult for the network operations team to conform to the HIPAA requirements.

To most network administrators, syslog is one of the key components to ensuring the network is healthy. Along with SNMP traps, syslog messages are typically sent to a specific management application where action is taken to remedy any problems. However, adding multiple destinations for certain traffic within the network can be a daunting and time-consuming task. Depending upon what specifically is being sent, multiple destinations for syslog often require the implementation of relays or proxy servers. Not only does this add more equipment to be monitored and maintained within the network, but forwarding syslog messages requires a great deal of care to ensure that the original headers and portions of the message aren’t overwritten by the forwarding device.

From a security standpoint, syslog messages are notoriously insecure and are often sent in clear text across the network. The format of a syslog message is easy to imitate and in most cases, there is no authentication or validation of the device sending the message. Syslog messages have become popular in the hacking community as a gateway into a companys secure environment (see our White Paper entitled Securing Management Protocols with ZoneRanger) as evidenced by the proliferation of Fraggle Attacks, Spoofed syslog Messages, do_brk( ) Attacks and numerous others.

In addition to the issues with message format, implementing individual firewall rules to allow all of this information often doubles or triples the amount of traffic allowed into the secure section of the network. As a simple solution to individually controlling syslog message reception, many organizations will allow the unrestricted flow of traffic through their firewall. Thus sacrificing security for configuration simplicity.



Tavve ZoneRanger provides network operations a secure and simple method of implementing a centralized syslog repository. The ZoneRanger can easily be configured to forward syslog messages to one or more applications, including a centralized syslog database. Thus, network devices need only be configured to send syslog messages to ZoneRanger and it handles forwarding them to all required management applications. ZoneRanger also protects against protocol-based attacks by authenticating, filtering and forwarding only network management traffic for action, analysis and storage.

As an appliance-based and agent-less solution, ZoneRanger easily integrates completely and transparently with all existing and future network management applications. The ZoneRanger communicates directly to the management applications via an industry-standard 128-bit encrypted (SSL) TCP connection requiring only minimal firewall configuration for all of the network management traffic (including SNMP and syslog).