-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm not going to start quoting everything you said. To sum everything
up, I agree with everything up until this point (below).
> Whoah! there cowboy! If you are able to distinguish between probe syn
> packets and packets that are part of a connection originating
> inside the
> network then you can do the same thing with those.
>
> If you have services running which are accessible from the
> outside world
> like SMTP or a WWW Server for example then you have to allow TCP
> connects. This is why many of the tools script kiddies will
> use just do
> port scan of known services, sometimes only one or two like
> SMTP and WWW
> .. probably depending on the last .pl they have just picked up on the
> net...
Sorry. I wasn't thinking straight when I said that - if you allow SYN
connects on a port, then TCP connects have to be allowed as well (same
with FIN). So, unless I'm grossly misunderstanding a concept of TCP, a
TCP scan will report the same as a SYN scan. Am I correct? The
firewall rules I laid out only report back hundreds, if not thousands,
open/closed ports. Whether it be TCP or SYN.
I should also point out that it is much easier to detect a TCP scan.
Why else would a SYN scan be called "stealth"?
> For this type of probe or attack you need to see tcp signatures or at
> least monitor requests to these services. If you are
> logging this sort
> of thing then the logs are going to be pretty big... and you
> need to be
> logging not just what type of packet from here to there, but
> also what
> is in the packet. Thus you are looking at IDS. Bear in mind that these
> are packets on ports allowed by your firewall rules. Without analysing
> the packets how are you going to distinguish between what is
> OK and what
> is an attack?
>
> Thus, investing in IDS reduces the need for experienced ITSOs like
> yourself who know how to use things like TCPDUMP and further know what
> they are looking at. If the management of the IDS is
> outsourced then all
> the better... for TCO.
Yes. But I personally hate outsourcing. A fault, I know, but I just
generally don't like the fact that I am handing over company security to
another company.
> Anyone going to DEFCON?
Yep.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOSKnH/WPEBDMsfC4EQLPmgCgh911mspPLwD6L4Mb923TR5kwzLkAn3Sy
QQhREM2dS2cRoI2vyjkapP4x
=58o3
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
