-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> For me, best practice is to configure firewalls so they they
> only allow
> those data flows provided for in a qualified security policy.
> You allow
> the bear minimum and stop there. Then you test that this is
> all you have
> allowed. If possible you do not want to allow any connections from the
> outside world to your internal network. If you have to allow protocols
> like HTTP, Telnet, FTP etc then put these hosts somewhere
> else (like in
> a DMZ) .... etc .. OK extract those eggs from your gullet anytime
> now....
:). To be quite honest, I completely agree. However, my boss requires
(I don't understand why) that we have port redirection on our firewall
to point to the internal network. Which basically obliterates any
security policy I might put on the firewall. Sure, our firewall can be
secured to a B1 level, but who cares if we redirect our HTTP to an IIS
4.0, un-patched web server on the internal LAN? You've got access to
the LAN right there, with no need to mess around with a secure-conscious
firewall.
> Most companies are concerned with business continuity. The cost of
> maintaining this should be as low as possible. Thus the added costs of
> logging TCP/IP transactions could perhaps be one which is
> unneccessary.
> Obviously the corporate net must be as unassailable as possible from
> outside and perhaps more particularly , inside. The corporate web
> presence featuring whatever e-commerce solution is not so important.
> These things will be underwritten ... and provided the cost
> of failures
> is not comparable to the profit made from the site not much
> will be done
> about it. I am reminded here of the film "Fight Club" where
> out would be
> anti-hero explains the process by which dangerous motor
> vehicles are not
> withdrawn from the market. It has nothing to do with how many young
> teenagers die but the cost of litigation...
Again, I couldn't agree more, with the exception of logging. Because I
know my logs fairly well, and all we're logging is a Linux firewall with
an average load of about 0.05, logging adds no cost. It takes me about
5-10 seconds per log to find if something is obviously wrong. I search
for key words within the log, then save it. That way, if something goes
awry on the firewall, I've got logs for the past few years kicking
around, and I can figure out exactly what happened and when. I
apologize if I misunderstood you, but saying you don't want logging is
like driving without a rear-view mirror and wearing blinders (the things
on horses that only allow them to look forwards). Logging is an
essential part of security, and should never be overlooked (in my
opinion).
> So this is the canvas. Upon this one could argue that
> provided you keep
> up to date with security patches, and keep seeking to improve your
> security, making sure it is tested to make sure that reacting
> passively
> or agressively to an attack is not even worth thinking about. Or could
> we describe redirecting closed port connections as passive-agressive?
Except that there will always be someone who will spend their time
searching for a security hole in a product, and never release it
publicly. Hence, even with the tightest security policy, the most
up-to-date patches- and the wisest SysAdmin, you are never 100% safe.
<...>
> A note here about Honey pots .. I will continue the thread
> lower down...
> Why? For a honey pot to be attractive it must be appealing.
> i.e. you are
> going to leave something open or vulnerable. Thus you have lost the
> benefit of research as you should see the same attack over and over
> again. All you really get is time .... and a bit of
> excitement... Here I
> disagree with the notion that leaving everything open will somehow
> disuade a script kiddie from continuing with their attack....
I think I should explain myself here. I don't leave everything "open"
per say. A brief rundown of my firewalling:
1. Default Policy to Accept
2. Accept all needed ports
3. (Deny/Accept) all SYN packets to ports 0-1023
4. (Deny/Accept) all non-SYN packets to port 0-1023
5. (Deny/Accept) all TCP packets to port 0-1023
(The Deny/Accept is depending on various things. But if one is Deny,
they should all be deny.)
There are some other rules included, but that's the core of it. On a
scan (be it SYN, TCP Connect, Null, ... see your comment below), you
rarely get all the actual open ports reported correctly, two scans are
rarely the same, and you get a mess of stuff for ports >1023. Having
three screens of scans fly by is a bit confusing and disheartening.
Attempting an exploits on the reported open ports will fail, because the
ports aren't actually open.
<...>
> The only reliable method of scanning is a tcp connect. If this type of
> scan is detected then you know how you can track the source. From here
> it is simple. In order for the attacker to get any usefull
> info he must
> be able to get data back... Thus the source reported in the
> TCP header/
> IP Header is the real source, or by tracerouting back to the reported
> source .. one of the hops will be the real source... you know what the
> source port is so find which one accepts your response packets.... But
> then what do you do when you have tracked the source ... the
> responsible
> thing to do would be to determine what ISP is responsible and inform
> them that one of the hosts or connections is being used to scan you
> illegally. Retaliation is a highly questionable course of action, even
> if it is very tempting!!
And here, I outright disagree with you. Look at firewall policies.
It's okay to deny straight TCP, because of the TCP connect scan. But
you can't deny all SYN packets, because they're a little bit essential
to the whole handshake sequence. I still don't think any reatiliation
(aside from contacting the ISP) is acceptable, because there is always
the chance that a scan will be spoofed. I find that the nmap SYN scan
provides much more accurate scanning information that the vanilla TCP
connect scan. (The others I use for special occasions.)
Feel free to disagree - these are only my opinions.
Damian Gerow
Intellitactics, Inc.
It is a kind of spiritual snobbery that makes people think they can be
happy without money. - Albert Camus
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOSAD8vWPEBDMsfC4EQIfagCg3OBm0lGdagqiKDrXIUvS7ANmF4QAoMMd
doEuP7ln6gFfQNFj+pRg1j1t
=g9CS
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
