> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 12 May 2000 10:33 AM
> To: mouss
> Cc: Eddy Kalem; [EMAIL PROTECTED]
> Subject: Re: FW: Redirecting closed port connections
>
>
> Your statement alone that "blocking the port and ignoring the
> attacker is a
> sufficient approach" states it all.
It does? I think you'll find that this is the most common approach,
actually. Personally, I'm letting the Lone Ranger clean up all the bad guys
- I'm just securing networks.
>
> Your approach of passive resistance is not what I would
> recommend in this day
> and age - especially if there are hard assets and bottom-line
> dollars at
> stake.
Uh...why? Call me crazy, but I'd rather not have an attacker inside my DMZ
at _all_. Why would I open a hole in my firewall to let them in on purpose?
I don't know Recourse Technologies and I have no reason to trust their
product - what if their jail system turns out not to be a jail? One could
find that the attacker has just been given a free stepping stone into the
network.
> Typically, seasoned hack/crackers are not easily
> discouraged - blocking
> is expected.
I'm obviously not "down with the 133t". My naive impression is that most
crackers strafe many, many sites looking for common vulnerabilities. If your
site doesn't give them any green lights then they'll be off scanning the
next chump.
If, on the other hand, you have cracker that is deliberatly trying to attack
your network then they're more likely to be working on the services that you
actually _run_. It's hard to imagine an attacker so "seasoned" that they are
dedicated to breaking your network and yet so stupid that the presence of a
tasty Solaris box chock full of customer information _sitting in the DMZ_
isn't going to make them a _little_ suspicious.
Bear in mind that these jail systems only let you change the default action
for services that you _don't_ run from block to divert.
> They will keep trying until a vulnerability is
> found. BTW - the
> talented ones, neither leave a trail when she (I say she -
> something many
> overlook BTW) penetrates your defenses, nor does she
> advertise that he has done
> so.
Um...yeah. I'm sure that's what Mitnick thought too.
> Under these conditions, I submit this:
>
> A firewall enforces a security policy. If a vulnerability is
> exploited - what
> vehicle do you have to relay that this has occurred? "ZERO".
How about my logs? My offline hashes? My read-only /usr drives? My
unalterable logging to a serial port running a line printer?
> With a psuedo
> environment - the violation can be accomplished and the
> intruder is satisfied.
The _stupid_ intruder, maybe.
> The attack progresses to the next level. Meanwhile your
> tracking his every
> move. Using this allows a feedback loop to:
>
> 1) modify your security policy to take in account of this
> vulnerability - even
> if its minor - shoplifting a candy bar is only the beginning ...
Except that it wasn't a vulnerability. I had the port _blocked_ and then I
_opened_ it to send this attacker to the honeypot.
> 2) modify your server security based on the exploits he/she
> has taken to breach
> its defenses.
This makes no sense - I KNEW the door was open! I left it open on PURPOSE so
that I could waste the attacker's time and collect logs.
> 3) contact authorities an persue legal channels...
If I called the cops every time some script kiddie had a go at my network or
one of the networks I'm supposed to be keeping secure, (especially when the
attack wouldn't have worked if I hadn't created a vulnerability myself) I'd
get about three minutes of actual work done a day.
>
> With the "ManTrap" (www.recourse.com), the first intruder I
> trap pays for the
> technology, why? This is a gal that, 1) would have breached
> my production
> environment to cause real damage,
As I've already said - they wouldn't have breached your production
environment - your production environment is still live and vulnerable to
any working attacks directed against it.
> 2) Has just provided me
> with unsolicited
> feedback on my security policies in my perimeter defenses and
> my public
> resources.
>
> With your passive approach - what vehicle do you have that
> would even hint to
> you that I do not already "OWN" your resources?
See "logging and audit" above.
>
> Class dismissed. NUF SED!
Foisting your (misguided, IMO) opinions on one poster is bad enough.
Implying that you're lecturing to _all_ of us...>shudder<.
> mouss wrote:
>
> > The problems with such approach are:
> >
[perfectly reasonable argument snipped for brevity]
> > regards,
> > mouss
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
