We are engaging an MSSP to monitor our security logs from all our servers and network devices. Most, if not all of the devices will be pushing the logs to this collector, my concern is where do I house this collector? This collector will phone home to the MSSP and the SOC/NOC will have complete control over this device. It is a requirement that we allow ssh & https access from the MSSP to this collector.
I am thinking of hosting this collector on the DMZ and only allowing the MSSP access to this collector(via firewall rules). Is this a good idea? Now, since all the devices, server and network devices behind the firewall will be pushing logs to this collector, would you recommend placing the collector on the DMZ or on the inside? The logs are not locally stored on this collector, but offloaded to the cloud. But still I am concerned.
Thanks in advance for all your suggestions and comments.
Sep 12th 2017
2 years ago