Page 22 of 72
WARNING: this setting has the ability to generate a large number of events that could
affect the performance of your device, network, and syslog host.
3.3.4 Logging Protection
If an authorized administrator wants to backup the logs to a syslog server, then protection must
be provided for the syslog server communications. This can be provided in one of two ways:
1. With a syslog server operating as an IPsec peer of the TOE and the records tunneled over
that connection, or
2. With a syslog server is not directly co-located with the TOE, but is adjacent to an IPsec
peer within a trusted facility, and the records are tunneled over the public network.
3.3.4.1 Syslog Server Running on an IPsec Endpoint
For deployments where the syslog server is able to operate as an IPsec peer of the TOE, the
IPsec tunnel will protect events as they are sent to the server. When an audit event is generated, it
is simultaneously sent to both the external server and the local store. Examples of products that
can be installed on a syslog server to allow it to be an IPsec peer include the Racoon tool that is
part of the IPsec Tools on many Linux systems, strongSwan, Openswan, and FreeS/WAN.
Following are sample instructions to configure the TOE to support an IPsec tunnel with aes
encryption, with 10.10.10.101 as the IPsec peer IP on the syslog server, 10.10.10.110 and
30.0.0.1 as the local TOE IPs, and the syslog server running on 40.0.0.1 (a separate interface on
the syslog server). For the following commands see the [10] Cisco IOS Configuration
Fundamentals Command References, and Cisco IOS Security Command References.
TOE-common-criteria# configure terminal
TOE-common-criteria(config)#crypto isakmp policy 1
TOE-common-criteria(config-isakmp)#encryption aes
TOE-common-criteria(config-isakmp)#authentication pre-share
TOE-common-criteria(config-isakmp)#group 14
TOE-common-criteria(config-isakmp)#lifetime 28800
TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key]
address 10.10.10.101
TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key]
address 40.0.0.1
TOE-common-criteria(config)#crypto ipsec transform-set sampleset esp-aes esp-sha-
hmac
TOE-common-criteria(cfg-crypto-trans)#mode tunnel
TOE-common-criteria(config)#crypto map sample 19 ipsec-isakmp
TOE-common-criteria(config-crypto-map)#set peer 10.10.10.101
TOE-common-criteria(config-crypto-map)#set transform-set sampleset
TOE-common-criteria(config-crypto-map)#set pfs group14
TOE-common-criteria(config-crypto-map)#match address 170
TOE-common-criteria(config-crypto-map)#exit
TOE-common-criteria(config)#interface g0/0
To Next Page
Loading...
Need help?
General
