Firewall Wizards mailing list archives
re: Security Audit and Priorities
From: Mike Hoskins <mike () adept org>
Date: Mon, 14 Jul 2003 10:26:58 -0700 (PDT)
From: pammann () execomm net (Paul Ammann) Subject: [fw-wiz] Security Audit and Priorities
I will be starting a new job in the next few weeks. I went to Netcraft and typed in the company's URL and was amazed by what I saw: the version of Linux, the version of Apache, the version of OpenSSL... literally everything about their web servers. 1. What is the best way to block Netcraft from obtain all this information.
as usual, the best way to address these types of issues is understanding what you're working with. in this case, Apache is the culprit... and one appropos answer would be 'ServerTokens' (see Apache docs, and set it to a comfortable level). http://httpd.apache.org/docs-2.1/en/mod/core.html#servertokens
Are there Open Source solutions that would be better than commercial solutions?
define 'better'. there are pros and cons to every solution, opensource is no different from commercial offerings in that regard. 'better' can only be adequately defined after forming top-down consensus about your organization's security stance and writing the associated policy. (remember -- the latest biz-backed 'buzz' is 'aligning it/ops with business goals'... iow, you have to understand the 'business drivers' before you can really make 'good' decissions. yeah, i hate buzzspeak too.)
2. The company has acknowledged they are lacking in security. What is the best method for doing a security audit?
risk analysis and policy development. start with those. since that can take awhile, poking around the network with any of the freely availalbe sniffers (that may take some small amount of network configuration internally, i.e. in switched/routed environments) and scanners (be sure to scan from external sources too) should allow you to identify the most obvious offenders. wrt ids -- my suggestion is to harden your systems and networks using widely available 'defense in depth' methods. hammer out the basics (including the policy) so you have a good foundation. then it is much easier to deploy something like ids/ips/etc. otherwise you may just add an overly complex, 'false-positive generator' to your already confusing architecture... also remember that ids/ips, like anything else, can simply offer alternate attack vectors if not properly configured/managed. -mrh -- From: "Spam Catcher" <spam-catcher () adept org> To: spam-catcher () adept org Do NOT send email to the address listed above or you will be added to a blacklist! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security Audit and Priorities, (continued)
- Re: Security Audit and Priorities Yannick Van Osselaer (Jul 13)
- Re: Security Audit and Priorities R. DuFresne (Jul 13)
- Re: Security Audit and Priorities Frank Knobbe (Jul 14)
- Re: Security Audit and Priorities ark (Jul 14)
- Re: Security Audit and Priorities Frank Knobbe (Jul 14)
- Re: Security Audit and Priorities ark (Jul 14)
- Re: Security Audit and Priorities lists (Jul 13)
- Re: Security Audit and Priorities Paul Ammann (Jul 14)
- Security Audit and Priorities Paul Ammann (Jul 13)
- Re: Security Audit and Priorities R. DuFresne (Jul 13)
- RE: Security Audit and Priorities Bob Wanamaker - Avant Systems, Inc. (Jul 14)
- re: Security Audit and Priorities Mike Hoskins (Jul 14)
- Re: Security Audit and Priorities M Taylor (Jul 14)
- Re: Security Audit and Priorities Yannick Van Osselaer (Jul 13)