[c-nsp] Can I encrypt syslog traffic in IOS
Hammer
bhmccie at gmail.com
Thu Mar 31 09:18:14 EDT 2011
Nope. You're thinking correctly. But that's not the issue.
AUDIT
We don't syslog thru our management VLAN. That is not a scalable solution
for our WAN. However, this is more of a "due diligence" than anything. Like
authenticating NTP or using SSH instead of TELNET. This is a matter of "Are
you doing the best you can to ensure your traffic is not exposed?" Even
though some of it doesn't necessarily make sense.
I've noticed over the last about two years that both Internal and External
audit seem to be getting a lot more savvy with what they look at and what
they ask. Could just be a sign of the times. Who knows. But these are the
questions I'm being asked and then I'm being interrogated on my config. So
I'm just being proactive in looking for solutions to harden our standards.
-Hammer-
"I was a normal American nerd."
-Jack Herer
On Tue, Mar 29, 2011 at 2:47 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Mar 29, 2011, at 11:26 PM, Hammer wrote:
>
> > In the end, we may just policy route the syslog traffic thru a tunnel.
>
> Out of curiosity, why do you want to encrypt your syslog traffic? You're
> exporting down your OOB management network (i.e., DCN), yes?
>
> If anyone's in a position to sniff the syslog traffic on the DCN - or even
> inband on the production network, for that matter - then there are problems
> on said network which encrypting syslog won't solve, heh.
>
> ;>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> The basis of optimism is sheer terror.
>
> -- Oscar Wilde
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list