Reliable and Tamper Resistant Centralized Logging in a High Availability System - An Investigation on Ericsson SGSN-MME
Examensarbete för masterexamen
LAM, JANNY QUACH
Data logging is a critical activity and the foundation for several information security related activities, including intrusion detection, forensics and event reconstruction. Most often, computer systems where logs are collected consist of a network of connected machines. In such a network, it is often desirable to have an overview of how events are related between machines. Thus, having a central log server to which other machines can send log data for processing, correlation and analysis is important. However, for the log data to be useful it must be trustworthy. To provide such trust, two important properties must be fulfilled, namely reliable and secure transmission, and tamper resistance. The purpose of this project was to investigate how reliable and tamper resistant centralized logging can be acheived in Ericsson’s SGSN-MME product. SGSN-MME is a high availability system where two components are redundant. To provide a trustworthy centralized logging in such an environment, failure of redundant components must also be taken into consideration. To investigate whether and to what extent it is possible to achieve reliable transmission, two syslog applications, rsyslog and syslog-ng, were evaluated. To support the evaluation, a XEN-based lab system representing the SGSN-MME was designed. The different parts of SGSN-MME were simulated by virtual machines. Component redundancy was achieved by using open source software similar to what is used in the real SGSNMME. To benchmark the two applications, seven test cases representing different failure scenarios were defined and executed. The test results show that it is possible to achieve zero loss transmission for most of the test cases for both rsyslog and syslog-ng. To achieve zero message loss it is necessary to use both an application based transport protocol and a reliable disk buffer. Tamper protection requirements have been determined by means of threat modelling. It is assumed that several users on SGSN-MME have root access. Therefore, it is concluded that the most promising solution is to make use of a cryptographic hardware device for encryption key storage.
Informations- och kommunikationsteknik , Data- och informationsvetenskap , Systemteknik , Information & Communication Technology , Computer and Information Science , Systems engineering