Mark Teicher Writes:
>The best way to eliminate some of the scanning is to construct some good
>packet filtering rules in front of your IDS device, drop everything you
>don't implicitly allow, and watch for the anomalies.. You do have an IDS
>system in place don't you? If not, take a look at Network Flight Recorder
>(www.nfr.net) or one of those other IDS software producing companies.
[...]
>NFR, that will be one Large NFR T-shirt for the plug. :)
<<LAUGH>> Thanks, Mark. I think I remember your size, and I'll
have one sent out to you pronto. ;)
Joking aside - I agree completely. Remote scans are a wake-up call.
I find that a lot of sites are stunned speechless when they discover
how often they are probed by script kiddies in search of prey. As I've
come to attain a deeper understanding of this, myself, my attitude
toward hacking has become increasingly hard-line - there's just way
too much of that kind of nonsense going on. Some folks I've met
who have cable modems are getting probed 20,30 times a day, some
days. :(
Intrusion detection tools (such as ours) are an effective way of
illustrating how bad the problem is, if set up outside of your
network perimeter - or as an emergency backstop if your firewall
fails and someone is roaming the interior behind your firewall.
Last, but not least, they're important if your site has been
compromised and is being used as a launching point for attacks
on other sites. The latter can be very very embarrassing, and
potentially expensive, and it's much better to be able to know
about it and close it down quickly.
As Mark says, you might want to look at intrusion detection
technologies. Our site is <http://www.nfr.net>. We're happy to
offer evaluation copies of our industry-leading intrusion detection
appliance(tm) to end users who request them. If you're thinking
of deploying intrusion detection, I definitely suggest you kick
the tires of a couple different solutions. Right now, everyone
has a slightly different take on how to do things, different
architectures, philosophies, and - of course - prices. You might
want to look at some of our competitors as well:
ISS's RealSecure <http://www.iss.net>
Axent's NetProwler <http://www.axent.com>
Cisco's NetRanger <http://www.cisco.com>
There's a couple (hopefully) useful papers on
http://www.nfr.net/forum/publications.html
Regards,
mjr.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
