On Fri, 8 Jun 2001, Paul D. Robertson wrote:
> On Thu, 7 Jun 2001 [EMAIL PROTECTED] wrote:
>
> > Stopping intrusions *on every host in the wild* should prevent
> > their being used as DDoS zombies. It wouldn't prevent them being
> > used as smurfs -- you have to prevent source spoofing for that.
>
> If smurfs were the biggest problem we had, we'd be in a much better place.
> ISPs can enforce leaf-node filtering requirements if they had to, so
> that's actually an easier to solve problem in the long run.
>
> Smuf amplifiers are fortunately easier to stop, and Cisco's defaulting to
> no ip directed broadcast helps significantly.
>
And of course, this points the finger back at the vendors. If OS's were
default installed to *not* enable each and every service and toy in the
world turned on, and admins were forced to make changes to turn them on,
we might see far less system compromising also. HP still does not have a
shadow password system, whon't till a future release of 11.X.X, and
putting the system into TCB/C2 mode is not the answer for everyone.
Folks have pointed at programmers faults for bufferoverflows. I know that
tools developed at some major fortune 500 corps I've been acquainted with
had IT/IS divisions far too stressed for folks to learn about or eve3n
spend the time to eradicate such goofs. Too much on their desktops to
handle with far too few staff, who for the most part are not getting
additional training that might help educate them on the matter. Corporate
focus on security is far too often outweighed by the *need* to get it to
work and to get it to work now. These issues were hinted at by "Young,
Beth A." <[EMAIL PROTECTED]> in this thread when she talked briefly about
interdepartmental boundries.
Imagine that a BIG name in the telco biz has an audit done on an exposed
server, and that audit discovers:
default OS installed accounts left enabled, without passwords
since the system was installed with HPUX, there was no shadow
passwd system and the server was NOT put into TCB mode
far too many 'user' accounts on the system, some of those users no
longer with the company, and no longer know to the system
no root level passwrd for a secondary UID 0 account on the server
rpc is enabled and reachable on the outside, though un-needed on the box
.rhosts on the system with 666 perms
files with very poorly set perms and ownerships due to the install
images the company utilised, how do you secure directories and
files for users no longer on the system or with the company?
ftp access to the system wide open
poor system logging
no IDS to speak of at all to detect issues
Of course when a search of corporate standards on these issue was
undertaken, it was discovered that NO such documentation existed to guide
folks in establishing these systems. We reached high up the chain of
mgt., only to rattle cages of folks that mentioned that such documentation
was a good idea <TM>, and had been considered for a few years, but, no one
really wished to take responsibility for enforcing those policies. Of
course, this made it hard to blame the individual depts in question as
there was no corporate guidance to speak of. And those corporate folks
deemd to audit and secure systems were far to busy with sweet little
graphs and harts showing how many extreemly poor passwds now met corp
standards, such as they were, though ignored the fact that 75% of the
systems, since they ran HPUX had no shadow password system, so the the
effectiveness of this might well be of concern. Of course those same
'auditors' also wished to push for the use of wu-ftpd to replace other
ftpd's in use to enable capabilities that the default ftpd's could
already handle, but, no one understood the term thourough as it pertained
to 'audits'. Now if one of the largest telco/internet access providers,
that design some of the advanced switches on the market, whose main
business focus was indeed, network security, could not deal with these
issues inside their own environment, whatmight this have to say for the
rest of corporate america, as well as the rest of the globe?
It sure means that every company I work for now on, that employs devices
made by this company are suspect, how can I trust their toys to work when
they can't play in their own home safely?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
