On Mon, 7 May 2001, DAve Goodrich wrote:
> on 5/7/01 12:32 PM, R. DuFresne at [EMAIL PROTECTED] wrote:
>
> >
> > Then why pray tell is OS finger printing so important to a cracker? Why
> > are the major vendors beefing up issues such as tcp sequence number
> > prediction and obscuring their OS's from easy OS type determination? Even
> > the DNS/Bind folks have added the ability to their deamon to hide it's
> > verson and such from outside connects.
> >
>
> It has been my experience, right or wrong, that OS fingerprinting is more to
> identify a certain OS (which will remain nameless) than anything else.
<chuckle> you refer here to M$ boxen or redhat systems? It's certainly
been experience here that both are sought by system crackers of all types
you identify below.
>
> Having spent that last year on two *heavily* scanned networks, oz.net and
> lightrealm.net, most of what I have seen is easily stopped with a good
> firewall, log reviews, and an alert sysadmin. How do you define "cracker"?
> Is it some kid who wants to springboard off your machine, a simple resource
> thief? Or do you actually have data the cracker wants, credit card numbers?
>
All good requirements, yet, by no means all there is to security.
Obscuring, if it only reduces the number of false alarms due to folks not
seeing something easy to poke at and get enough info nessecary to prod
more aggressively, then one has reduced the amount of time one has to
spend parsing logs if nothing else, and time is of course money, yes?
Granted the script kiddies are the least of our worries, if we send them
off to less closed systems, then we have saved ourselves the time and
effort of filtering them from our attack signatures and can devote that
prized possession of time to something else hanging on our collective task
plate.
> The first might be slowed down by concealing your OS. The second will see it
> as a challenge, or minor inconvenience, but I do not think it will stop him.
> Your best defense is being security aware, and minding your boxes.
>
Again, I did not and do not advocate simple obscurity, yet, I have yet to
see a valid reason mentioned for not employing obscurity into the security
equation. Diligence being the key, as long as one is diligent in their
undertaking of security and thorough, each level of obscurity only
fosters to make their systems that much more a pain for someone to prod
upon. The firewall itself works on some cases in this respect, blocking
attempts at services and ports that might help identify the system it runs
on, it's FW type, as well as the machines behind it it protects.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
