Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Placement of MSSP accessible log collector - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Placement of MSSP accessible log collector
Hello,

We are engaging an MSSP to monitor our security logs from all our servers and network devices. Most, if not all of the devices will be pushing the logs to this collector, my concern is where do I house this collector? This collector will phone home to the MSSP and the SOC/NOC will have complete control over this device. It is a requirement that we allow ssh & https access from the MSSP to this collector.

I am thinking of hosting this collector on the DMZ and only allowing the MSSP access to this collector(via firewall rules). Is this a good idea? Now, since all the devices, server and network devices behind the firewall will be pushing logs to this collector, would you recommend placing the collector on the DMZ or on the inside? The logs are not locally stored on this collector, but offloaded to the cloud. But still I am concerned.

Thanks in advance for all your suggestions and comments.

Regards,
Sec Inquisitive
Anonymous

Sign Up for Free or Log In to start participating in the conversation!