On Thu, 20 Sep 2001, Alvin Oga spewed into the ether:
> - what do when someon logged in as root on a xdm login screen
> - what do you do next
Improperly built server, rebuild
> - what do you do when you detect a port scan...
> - what do you do next
Maybe make a note of the ip and alert the admin of the block.
> - when your host IDS detects that someone added a rootkit....
> - what do you do next
Copy the disk over for forensics, backup the data, rebuild, patch,
harden, restore data, reharden.
> - what do you do when you detect lots of telnet/ftp/web/ssh/smtp
> failed connection attempts to your server
> - what do you do next
Block the ip, or lart the user.
> - when your netowrk IDS detects that 1/2 of the websites being
> viewed is going to "one of those websites"..
> - what do you do next
Sorry, this is a matter of policy, I think that this should be tossed to
management.
> - when your IDS ( falsely ) says you have an intruder ...
> - what do you do next
You mean you don't have a policy and sufficient paranoia to maintain
multiple backup IDS systems?
> - when you or your IDS notice that there is a file with all
> your passwds ...
> - what do you do next
Who owns the file? where is it?
> - how important is the data you are trying to proetect ??
> - where else is it kept...
Life and death.
> -- you can spend lots of time on IDS... but what is accomplished
> chasing after false alarms ...
> - a policy that no one loggs in as root elminates lots
> of internal security breaches
>
> -- lots to do... so little time .... when doing for 10-50-100 servers
> - log all traffic to a log file on a loghost server
> ( analyze it later ??
Or use cron and some automation to reduce the logging size?
and then filter at various levels for easier analysis?
Most of these things should be defined in the acceptable use
policy and security policy. If you don't have those, then IDs and
Firewall systems are useless, because you don't know what you are
protecting.
Devdas Bhagat
--
None love the bearer of bad news.
-- Sophocles
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
