Security Basics mailing list archives
RE: IPTables Based Firewall Testing
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 19 Dec 2003 10:21:17 -0800
Well I'm no chess man; I'm more of a Command and Conquer type guy myself. As far as I know there are no rules when it comes to security, we can only use our best judgment, experience and the best practices laid forth by our profession. Of course there are laws *for* security, (HIPPA, GLBA, etc), but they don't tell us *how* to do it. "We have a "line of defense" that doesn't stop at the door." Well so do any security professional worth their salt. You don't just drop in a firewall and say your secure. You install Anti-Virus, you manage you patches and updates, and you fortify your network with IDS sensors. You install syslog redirection and log monitoring. Run scans of your network for security problems, check to see if people are sniffing your network. You have layers of security, you know like an Onion, or Cake, ohhhh everyone like Parfaits. "...ill-defended systems which might appear to be easy targets." These are more commonly known as Honey Pots. I set them up inside high security networks and have some servers talk to them every once and a while. Honey Pots are highly monitored for any changes and activity and are only mildly protected. These servers contain some bogus but appealing information to attract the attacker to the system and away from your critical servers. "... high percentage of real hacks and security violations happen ( or appear to happen ? ) from within an organization..." This is, from my experience true but depends on what your company/org does. Having worked for local banks and being outsourced to local government agencies and high-tech firms the number of critical security breaches that occurred from within far outweighed any virii or script kiddies. "You'd be amazed at the results of such an unorthodox approach to infosec!" I wouldn't call it an unorthodox approach, just your approach. I've been to my share of infosec gatherings and every one of us has the methodology and practices that work best for us. In example the talented Mr. Steve Bremer, (ego = ego + compliment), believes in a multi-layered firewalling approach, while I like a beastie firewall with maybe failover. I rarely use proxies but if/when I do I'd separate them from the firewall scheme. Now a days it's not as "Us against Them" as it was. I seam to be dealing more with SPAM, Virii/Worms and script kiddies then anything else. But my company is by no means a juicy target, unless they want access to the multi-billion dollar mother company. " P.S. and it's AMAZING how budget friendly our system(s) is(are)." Remember that budgets are not a constant in our world. What could be budget friendly to you could break the bank of some of our other members. Go now and let the InfoSec gods be with you. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: larsmith [mailto:larsmith () tds net] Sent: Thursday, December 18, 2003 3:57 PM To: security-basics () securityfocus com Subject: RE: IPTables Based Firewall Testing There's a lesson to be learned from the following. When I was in High School, I played chess. Unfortunately, I had the misfortune of having a "low attention span", so I wasn't a good "student" when it came to learning moves and figuring out what others might be doing in some "organized fashion". When others learned moves and learned to recognize "classic" moves so they could defend themselves, I couldn't. I kept winning, though. I won because I didn't "play by the rules", so to speak. Because I didn't learn all the classic moves and defenses, I didn't use them. I made things up as I went. I made the best of what I had and, interestingly enough, I won more games than the "Experts" figured I should be able to win. Today, I find out what others are doing, watch as InfoSec people place so many eggs in one basket ... watch as they lean so heavily on "their moves" ( so to speak ), just like people used to do in Chess ... and I scratch my head. I, also, am a believer in the KISS principle. All the way through networks I've implemented and been responsible to support / protect / defend, I've placed ... well, trip wires. Not as in "TripWire" the product but different little things along the way which "go off" and alert me as to what's going on and what needs to be dealt with. Along the way, there are apparently either undefended or perhaps ill-defended systems which might appear to be easy targets. They go a long way to build a false sense of "ease of the kill" for any who might be snooping around in our network. Having studied hacker methodology and knowing that to "become good" at hacking, a person needs to practice certain disciplines and needs to "get into the groove", as it were, I use that against them. Because most hackers have their "pet ways" of moving in on a target and yet at the same time, use so many "classic moves", I use that against them. We have a "line of defense" that doesn't stop at the door. Knowing that such a high percentage of real hacks and security violations happen ( or appear to happen ? ) from within an organization, I've planted little "alarms" all along the way, randomly placed through out our organization, that are designed to alert us to what's taking place at the hands of prospective hackers or rogue processes. You'd be amazed at the results of such an unorthodox approach to infosec !! The moral of the story in this case is that "following the rules" is sometimes a weakness. Being predictable can similarly be a weakness. Doing "what everybody is doing" is a weakness. Using what everybody is using is a weakness. I never assume that I've got the job done. I seldom leave the same "trip wires" in place for very long. I move them around. I have an almost arbitrary approach to these helpful mechanisms so that my "methodology" can't be predicted. All I know is that it works. I learned a lot from Chess. Allan P.S. and it's AMAZING how budget friendly our system(s) is(are). ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)