funsec mailing list archives
[Fwd: Re: so, is I[dp]S a STUPID technology?]
From: Dude <dudevanwinkle () gmail com>
Date: Thu, 13 Oct 2005 22:11:04 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Just a quick comment... There's a reason that "scanner" is so fast. Unfortunately it's not some new ground breaking scanning technique (it uses multiple process with non-blocking socket operations). It's because it checks for 3 simple things (looking at tcp ports 139/445), which is probably about % 0.001 of things that an VA scanner would be doing. Scanning for SANS top 20 will require writing a completely new tool. And if you want to cover the top 20 completely, your tool will need to be able to login to different services as well. By the time you are done writing this comprehensive SANS top 20 scanner, it won't be able to do a class B net in 10 minutes (and especially 4 class B nets under 15 minutes). It'll take much longer. If you'll try to add an open port scanner (even using the fastest algorithm available), it'll add much more time (130k of ports for each machine * 10000 machines).
With that info in hand, I think I would have to change my position on the need for a SANS top 20 list scanner then. Maybe have your scanners look for werm-worthy vulns only. If someone has already compromised the machine (which is what would be required for redirecting a vulnerable service to another port) scans should not be your plan of attack. This will reduce your ports to the ones MS decides to bind services to (123, 135-139, 445, etc) Actually, I was involved in a really interesting project called CPR at gatech. Basically it started out as a way to take old 200mhz dell's and turn them into something useful. A .kix installer loaded RHEL -w- Nagios, Smokeping and Apache. It was first used for network health monitoring and reporting, but Nagios is good for lots of stuff. Plus, if you have one 200mhz box per subnet, you can always offload scanning to those guys and just have a central DB. (bet condor would help if you could find a way to add that to your image) http://www.nagios.org/ http://www.cs.wisc.edu/condor/ http://freshmeat.net/projects/smokeping/ http://www.oit.gatech.edu/comm_files/nl05f_e.html - - -JP "Then use data cleaning techniques (mail filters, snort inline, (local/SMTP/HTTP) AV, Local FW's, Anti[Spy/Mal/Ad]ware, Proxys) the Idea of Least Privledge, 7 and 1/2 Factor Authentication {which should be kept separate from Authorization} with apps/os being checked by your patch management from the client side to keep out the non-pre-auth attacks, VPN, Network Separation and Segmentation all over IP sec and you should be OK" - - -JP (when charging per hour) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTy/YEvxlkyrGFHkRAvMlAJ9IGpwkVGNEGd/VjaJNjQE4RwRztgCaAziv 9yA4QUCj4+Y3PGGzrhYE+HA= =ASbP -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- [Fwd: Re: so, is I[dp]S a STUPID technology?] Dude (Oct 13)