William,
I'd echo most of the advice from Ben, however I'd watch the logs every
morning
or more often if you have the time. I'd write filter scripts that summarize
the
rejected packets. This lets you keep in touch with what type of traffic you
get, and if someone is continually scanning and probing, then you may want
to look
at another level of defense against them. Security is not absolute, but
keeping
(at least one step) ahead of the enemy. They will continue to find new
problems
and ways to exploit them, so you gotta continue to get better at stopping
them
also. The only way to do this is to keep at it and watch what they do (even
when
it fails).
My two cents worth...Don McEwen
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 17, 2001 12:19 AM
To: 'William Bartholomew'; [EMAIL PROTECTED]
Subject: RE: Attack Quantity/Regularity
> -----Original Message-----
> From: William Bartholomew [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 17 January 2001 3:40
> To: [EMAIL PROTECTED]
> Subject: Attack Quantity/Regularity
>
>
> Just a couple of general questions:
>
> a) How often can a SMALL company expect to be attacked (ie
> DENIED packets etc?
Denied packets? Several times a day. Port scans will vary, mainly in
proportion to your profile as a company, or your ISP's profile (since they
own the netblocks that people are scanning). Almost all of these "attacks"
will be false positives or untargeted scans - ie _not_ someone trying to
attack your network in particular.
> b) If attacks are regular, and often from the same people, what
> action should you take?
Notify the abuse contact for the ISP or other netblock owner. Some of them
are fairly co-operative. In almost all cases it's a waste of time, but it
makes you look busy. ;)
> What if it is a variety of people, apart from
> your firewall how else can you protect yourself?
Some people believe in reactive rulesets that blackhole IP ranges if there
are too many attacks detected from them - this is probably a bad plan for a
number of reasons.
The short answer is, in my opinion, ignore logs from your external filtering
device. The packets are getting dropped anyway, and 99%+ will be false
positives or script kiddiez. Keep logging though - if something bad does
happen you (or someone) might want the verbose logs for forensics.
If you have a Network IDS in your tender underbelly, pay much more attention
to that. One useful trick if you don't have the time / cash for a NIDS but
do have a DMZ is to log packets _leaving_ the DMZ that look suspicious.
> Regards,
>
> William Bartholomew MCP MCSE CNA CCNA
> Assistant Network Administrator
> Brisbane Boys' College
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
