From: Jeff Newmiller [mailto:[EMAIL PROTECTED]]
Sent: Sat 6/29/2002 11:37 PM
>Absolutely disagree. Rebooting is a waste of time. If there is a way in,
>rebooting does nothing to prevent repetition. If there is not, rebooting
>serves no purpose. If you are faced with a break-in in-progress, you need
>to disable external network access until the problem is rectified... not
>reboot.
I do agree that it is not the most practicle option but you have to remember
that I'm just talking in a realm of ideals. IMO an ideal would be a system that had a
boot time of a few seconds (flash of somesort) has physicaly write protected, sends
all logging to another location and could recycle as often as seemed pruedent, even
every hour. Before each reboot it could even send a backup image file of the system
puerly for investigitory usage to the logging server. This might even be done using
some sort of memory miror that was invisable to the system, a PCI card.
This satisfies all that we are talking about. The key is a blend of realtime
response and uptime. If you are an entity with a 24/7 NOC it is all a diferent story,
but for smaller businesses that have continuing activities but close their offices,
this is a better extreme blend. I'm by no means saying this is the only way to do it
or the most practicle, or practicle at all! Just a whatif extreem of ideals.
>> Nothing is lost other
>> than evidence, but it is more important to stop the crime rather than
>> catch someone after the damage is done and with the logs safe you
>> should have the most important information avialable.
>Mostly true. I don't know that what was logged will provide enough clues
>as to the method of entry to close the hole, so I want the memory intact
>if possible just in case.
Covered by the image backup above.
All of this has me wishing to delv deeper into the actual system architecture
of the Cisco PIX (the largest FW product I personaly have experience with) I'm
wondering how all these issues are dealt with in that level of product. Of course
that said, I now would prefer to have a LEAF box unless the scale was an issue.
I must also add to this descussion that I am no hard core security expert and
while I feel comfortable working with musings and ideals, my first hand experience is
more limited (PIX, Watchguard, Smaller Software FW's and now LEAF.
Richard Amerman
������^�����)�{(��[�8b�A�zE���&z�
y�!y�ޞ�m���)��r����^i��z���X��X��W�~���X���(���~��zw���i����l���q����z���l�X��)ߣ�^i��z����!���W�~���-��?���v�?v�&jv�z�ݡȝ��u�٥
