On 11/04/2001, Hiemstra, Brenno <[EMAIL PROTECTED]> wrote To
[EMAIL PROTECTED]:
> I would like to mention that hosts on the internal network must be hardend
> too.
yes and no
> over the last decade had revealed
> that 70% of fraud was committed by employees
Well. You cant harden internally like you would want to in respect
of in depth security.
Bastions have usually pretty well defined, dedictated tasks.
Internal hosts usually lack those definition (which can be fixed, all
question of budget) *and* most time they *need* some part of generally
insecure access (NFS, SMB, telnet to router..)
For a bastion you can say "we block that, that's pot. insecure and there
has to be no NFS from outside to inside"
But you cant say this for internal networks -- you have to get a job
done which is not related to security very well.
Worse - you have authenticated users with accounts. It's well known, that
after you "gain" local account access, the compromising of root is not
far away on general purpose machines.
You have to permit access, cause workers should be able to work. But in
the same time you open a potential security breach in all senses.
There is no easy way against a misgrunteld admin, which deletes the database
and its backup.
There are ways for better internal security, but this all has significant
cost effects. For smaller companies it's too expensive, even if you make
the classical equation of "what would happen if all your data is gone? and
how much would 'security' cost?". Well, most time the result is "security"
is cheaper (technically). But from the point of finance, the company usually
cant afford the money (liquid).
Now for the social aspect - and there you get the bonus between external
and internal. An external, sophisticated intruder is *anonymous*.
No, you say? You have logs? Get real. You get an IP, this IP is on a hacked
box, which was hacked from another hacked box, etc.. (this is not true
for script kids or amateurs, but you cant count on that).
These machines are usually scattered around the world. Ever tried to get
logs from a box and its ISP in china or russia, the next box is in Uganda
or such. You *lose months*, and some of the boxes in originally chain of
attack are dead in the meantime or have been cleaned and the ISP throw
away older logs. Your breach was anonymous - you cant sue anyone for the
damage.
This differs for internal users, usually you can identify the abusive
user (with little amount of money for better logs and enforced administrative
policies). And this user is in the same country as you and you can have
law enforcement against him/her. This is just more daunting than the pure
anonymous access to your network.
Summary: it's cheaper to block the anonymous attacker from outside in
stage 1. Making the internal net "unhackable" from insiders is technically
not really possible and monetary not feasible.
Another thing is: do as much as you can. If there is an external attacker
already on your bastion, he shouldnt have to easy access to all boxes
behind it. Throw obstacles, use [N]IDS to have time to pull the plug
in last resort, use subtile honey pots to attrack the intruder to not
important machines and make him trap alarms.
And very last: Have a policy for the NOC/Administrator whatever, where
[s]he is *explicitly* allowed (signed by CEO/whatever) to PULL THE PLUG *NOW*
if a defined situation is there (like breaches on the honey pot or similar).
You avoid further damage, and the loss of connectivity is usually /significant/
less important than the recovery from the incident (e.g. reinstalling *all*
internal hosts).
Sleep well.
ciao
--
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p>
#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
