Security considerations

As with all network communication protocols, give careful consideration to the security requirements that might be appropriate to protect this remote message logging function in your environment. The following considerations are some to be examined:

• How do you ensure that the messages sent by a given host did in fact originate on that host, and that these messages have not been modified or replayed by a third party in the network?

  One mechanism that can be used to answer these questions is to deploy a Virtual Private Network (VPN) using IPSec across the remote syslogd instances and the local z/OS® syslogd. IPSec configured with the Authentication Header (AH) protocol provides data integrity, data origin authentication, and an optional replay protection service. To deploy IPSec for syslogd traffic, configuration is required on both the local z/OS system and the remote hosts of the syslogd instances that are forwarding messages. On the z/OS side, this is accomplished by defining an IP security policy. In this IP security policy, you specify filter rules that indicate all the remote hosts that are allowed to send UDP traffic to the local syslogd on port 514, along with the IPSec actions that define the IPSec attributes for this traffic. The IPSec policy can be defined in such a way that if any UDP datagrams destined for local UDP port 514 are received that do not match the IP security policy, they are discarded by the local TCP/IP stack. This provides an additional level of protection against denial of service attacks for syslogd, as unauthorized messages are discarded without syslogd needing to process them.

• What if the forwarded messages contain sensitive data? How do you protect the confidentiality of the data as it traverses the network?

  You can use the IPSec Encapsulating Security Payload (ESP) protocol to provide data confidentiality (encryption). Note that the ESP protocol can also be used to provide some of the same functions that the AH protocol provides, such as data integrity, data origin authentication, and replay protection.

Obviously, the security considerations for deploying remote syslogd logging depend on your local environment and your local security policies. For more information about the z/OS configuration for IPSec, see Overview of using IP security. For more information about configuring IPSec on the remote hosts, consult the documentation for that platform.