re: Security Audit and Priorities

[Mike Hoskins <mike () adept org>]

From: pammann () execomm net (Paul Ammann)
Subject: [fw-wiz] Security Audit and Priorities
> I will be starting a new job in the next few weeks. I went to Netcraft
> and typed in the company's URL and was amazed by what I saw: the version
> of Linux, the version of Apache, the version of OpenSSL... literally
> everything about their web servers.
> 1. What is the best way to block Netcraft from obtain all this
> information.

as usual, the best way to address these types of issues is understanding
what you're working with.  in this case, Apache is the culprit...  and one
appropos answer would be 'ServerTokens' (see Apache docs, and set it to a
comfortable level).

http://httpd.apache.org/docs-2.1/en/mod/core.html#servertokens

> Are there Open Source solutions that would be better than commercial
> solutions?

define 'better'.  there are pros and cons to every solution, opensource is
no different from commercial offerings in that regard.  'better' can only
be adequately defined after forming top-down consensus about your
organization's security stance and writing the associated policy.
(remember -- the latest biz-backed 'buzz' is 'aligning it/ops with
business goals'...  iow, you have to understand the 'business drivers'
before you can really make 'good' decissions.  yeah, i hate buzzspeak
too.)

> 2. The company has acknowledged they are lacking in security. What is
> the best method for doing a security audit?

risk analysis and policy development.  start with those.

since that can take awhile, poking around the network with any of the
freely availalbe sniffers (that may take some small amount of network
configuration internally, i.e. in switched/routed environments) and
scanners (be sure to scan from external sources too) should allow you to
identify the most obvious offenders.

wrt ids -- my suggestion is to harden your systems and networks using
widely available 'defense in depth' methods.  hammer out the basics
(including the policy) so you have a good foundation.  then it is much
easier to deploy something like ids/ips/etc.  otherwise you may just add
an overly complex, 'false-positive generator' to your already confusing
architecture...  also remember that ids/ips, like anything else, can
simply offer alternate attack vectors if not properly configured/managed.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards