[Bro] traffic to logger from workers

Michael Shirk shirkdog.bsd at gmail.com
Thu Jan 19 09:56:55 PST 2017 

I think this refers to AC-4 for information flow enforcement. But this is
where you would configure border protections or segmentation of your bro
data on its own private network, or configure encrypted tunnels.


--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Jan 19, 2017 12:36 PM, "Hosom, Stephen M" <hosom at battelle.org> wrote:

> Which 800-53 control are you referencing? I’d like to help you.
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *erik
> clark
> *Sent:* Thursday, January 19, 2017 8:38 AM
> *To:* Johanna Amann <johanna at icir.org>
> *Cc:* Bro-IDS <bro at bro.org>
> *Subject:* Re: [Bro] traffic to logger from workers
>
>
>
> This seems to be a pretty big oversight. Depending on the controls you
> implement from NIST 800-53 Rev 4, encryption between processes is
> mentioned. In our environment, it is not just nice to have, it is a
> requirement.
>
>
>
> Since no Bro to Bro communication is encrypted, this makes it 100%
> impossible for us to have a Bro cluster spanning multiple servers. We are
> relegated to load balancing via a smart tap and hosting all-in-one Bro
> instances in disparate hardware, and then forwarding the logs off the box
> with Splunk which _does_ do encrypted log handoff to the indexers.
>
>
>
> I understand that there is some concern about possible performance
> implications, but making an application that is completely devoid of FIPS
> 140-2 compliance does not seem to be  very good.
>
>
>
> What can be done to get encryption into Bro to Bro communication? If
> nothing else, at least to the logger. The other elements (workers, proxies)
> can be handled by pushing proxies to the individual hosts and blocking
> proxy port requests from Bro between hosts.
>
>
>
> On Wed, Jan 18, 2017 at 7:06 PM, Johanna Amann <johanna at icir.org> wrote:
>
> n Wed, Jan 18, 2017 at 07:51:54AM -0500, erik clark wrote:
> > Does the logger receive traffic over an encrypted tunnel? It does not
> > appear to be the case.
>
> No, Bro to Bro communication is not encrypted.
>
> Johanna
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/a0249db0/attachment-0001.html

More information about the Bro mailing list