RE: IPTables Based Firewall Testing

["Shawn Jackson" <sjackson () horizonusa com>]

        Well I'm no chess man; I'm more of a Command and Conquer type
guy myself. As far as I know there are no rules when it comes to
security, we can only use our best judgment, experience and the best
practices laid forth by our profession. Of course there are laws *for*
security, (HIPPA, GLBA, etc), but they don't tell us *how* to do it.
        
        "We have a "line of defense" that doesn't stop at the door."
Well so do any security professional worth their salt. You don't just
drop in a firewall and say your secure. You install Anti-Virus, you
manage you patches and updates, and you fortify your network with IDS
sensors. You install syslog redirection and log monitoring. Run scans of
your network for security problems, check to see if people are sniffing
your network. You have layers of security, you know like an Onion, or
Cake, ohhhh everyone like Parfaits. 

        "...ill-defended systems which might appear to be easy targets."
These are more commonly known as Honey Pots. I set them up inside high
security networks and have some servers talk to them every once and a
while. Honey Pots are highly monitored for any changes and activity and
are only mildly protected. These servers contain some bogus but
appealing information to attract the attacker to the system and away
from your critical servers.

        "... high percentage of real hacks and security violations
happen ( or
appear to happen ? ) from within an organization..." This is, from my
experience true but depends on what your company/org does. Having worked
for local banks and being outsourced to local government agencies and
high-tech firms the number of critical security breaches that occurred
from within far outweighed any virii or script kiddies. 

        "You'd be amazed at the results of such an unorthodox approach
to infosec!" I wouldn't call it an unorthodox approach, just your
approach. I've been to my share of infosec gatherings and every one of
us has the methodology and practices that work best for us. In example
the talented Mr. Steve Bremer, (ego = ego + compliment), believes in a
multi-layered firewalling approach, while I like a beastie firewall with
maybe failover. I rarely use proxies but if/when I do I'd separate them
from the firewall scheme.

        Now a days it's not as "Us against Them" as it was. I seam to be
dealing more with SPAM, Virii/Worms and script kiddies then anything
else. But my company is by no means a juicy target, unless they want
access to the multi-billion dollar mother company. 

        " P.S. and it's AMAZING how budget friendly our system(s)
is(are)." Remember that budgets are not a constant in our world. What
could be budget friendly to you could break the bank of some of our
other members. 
        

        Go now and let the InfoSec gods be with you.
        
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: larsmith [mailto:larsmith () tds net] 
Sent: Thursday, December 18, 2003 3:57 PM
To: security-basics () securityfocus com
Subject: RE: IPTables Based Firewall Testing

There's a lesson to be learned from the following.

When I was in High School, I played chess.  Unfortunately, I had the
misfortune of having a "low attention span", so I wasn't a good
"student" when it came to learning moves and figuring out what others
might be doing in some "organized fashion".

When others learned moves and learned to recognize "classic" moves so
they could defend themselves, I couldn't.

I kept winning, though.  I won because I didn't "play by the rules", so
to speak.  Because I didn't learn all the classic moves and defenses, I
didn't use them.  I made things up as I went.  I made the best of what I
had and, interestingly enough, I won more games than the "Experts"
figured I should be able to win.

Today, I find out what others are doing, watch as InfoSec people place
so many eggs in one basket ... watch as they lean so heavily on "their
moves" ( so to speak ), just like people used to do in Chess ... and I
scratch my head.

I, also, am a believer in the KISS principle.

All the way through networks I've implemented and been responsible to
support / protect / defend, I've placed ... well, trip wires.  Not as in
"TripWire" the product but different little things along the way which
"go off" and alert me as to what's going on and what needs to be dealt
with.

Along the way, there are apparently either undefended or perhaps
ill-defended systems which might appear to be easy targets.  They go a
long way to build a false sense of "ease of the kill" for any who might
be snooping around in our network.

Having studied hacker methodology and knowing that to "become good" at
hacking, a person needs to practice certain disciplines and needs to
"get into the groove", as it were, I use that against them.  Because
most hackers have their "pet ways" of moving in on a target and yet at
the same time, use so many "classic moves", I use that against them.

We have a "line of defense" that doesn't stop at the door.  Knowing that
such a high percentage of real hacks and security violations happen ( or
appear to happen ? ) from within an organization, I've planted little
"alarms" all along the way, randomly placed through out our
organization, that are designed to alert us to what's taking place at
the hands of prospective hackers or rogue processes.

You'd be amazed at the results of such an unorthodox approach to infosec
!!

The moral of the story in this case is that "following the rules" is
sometimes a weakness.  Being predictable can similarly be a weakness. 
Doing "what everybody is doing" is a weakness.  Using what everybody is
using is a weakness.

I never assume that I've got the job done.  I seldom leave the same
"trip wires" in place for very long.  I move them around.  I have an
almost arbitrary approach to these helpful mechanisms so that my
"methodology" can't be predicted.

All I know is that it works.  I learned a lot from Chess.

Allan

P.S. and it's AMAZING how budget friendly our system(s) is(are).


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------