Kevin Sez: -- You really don't have to worry about it, packets only flow in one direction so you don't the exploit issue. -- I assume you mean "don't [have] the exploit issue".
This is not quite true in two senses. For the first concern is your management interface. Unless you are using a dedicated management lan with tight ACLs then your management interface is still a valid entrypoint to the device. You then are still at the mercy of worms, vulnerabilities, and malicious insiders through all the normal windows attack means. The second concern is that pesky stealth interface, but the defense is less affected by hardening than by other compensating controls. Lets think way back to three weeks ago when Witty came out... Since that spread via a buffer overflow in the parsing engine it was able to compromise sensors through that one-way interface. You then had the management interface spewing out the worm. In the case of an externally-monitoring IDS sensor (say, for example, watching your external firewall interface) the worm has now quite possibly gone from outside of your perimeter straight through to your soft insides. Unless you want to bet the farm that ISS will always know and patch exploits in their products before any Bad People then just counting on patching to save you is silly. Since one never knows what the next similar attack could do you cant count on host-based defenses very much. Cisco Security Agent (formerly Okena) would probably sop the compromise from occurring though. You'd also want to make sure your management interfaces are restricted so they are not an "open" gateway to your network. As a side note:: Thankfully ISS likes realSecure 7 and patches it quickly and the patch method is darn near idiot proof, anyone who was silly enough to still use the supported* Sentry IDS product had roughly 18 hours to completely patch their systems before the worm was released. Patching involved re-installing the product on every sensor.. *Supported means you pay ISS to use it but they don't add signatures, and critical problems are only fixed at the very last minute long after all other products even though it's the same core PAM-driven engine. -Tom -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noble, Kevin Sent: Friday, April 02, 2004 2:12 PM To: Pierquin Rudi; [EMAIL PROTECTED] Subject: RE: [ISSForum] Harden Windows 2000 for network sensor 7.0 You really don't have to worry about it, packets only flow in one direction so you don't the exploit issue. Denial of Service is the only problem, make sure the sensor and any service promiscuous mode software analysis tools you use is updated to the current version and you should be OK. -K -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pierquin Rudi Sent: Wednesday, March 31, 2004 1:06 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Harden Windows 2000 for network sensor 7.0 Hi all, I am wondering if there is somewhere any documentation about how to harden W2K(without making it unusable...) for network sensor 7.0. I plan to have the sniffing interface in stealth mode, but i am still suspicious about Windows security. Does anybody of you knows where to find the right tips to protect this box ? Many thanks, Rudi _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
