[Fwd: Re: so, is I[dp]S a STUPID technology?]

[Dude <dudevanwinkle () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Just a quick comment... There's a reason that "scanner" is so fast.
> Unfortunately it's not some new ground breaking scanning technique
> (it uses multiple process with non-blocking socket operations).
> It's because it checks for 3 simple things (looking at tcp ports 139/445),
> which is probably about % 0.001 of things that an VA scanner would
> be doing. Scanning for SANS top 20 will require writing a completely
> new tool. And if you want to cover the top 20 completely, your tool
> will need to be able to login to different services as well. By the time
> you are done writing this comprehensive SANS top 20 scanner, it won't
> be able to do a class B net in 10 minutes (and especially 4 class B nets
> under 15 minutes). It'll take much longer. If you'll try to add
> an open port scanner (even using the fastest algorithm available),
> it'll add much more time (130k of ports for each machine * 10000 machines).

With that info in hand, I think I would have to change my position on
the need for a SANS top 20 list scanner then. Maybe have your scanners
look for werm-worthy vulns only. If someone has already compromised the
machine (which is what would be required for redirecting a vulnerable
service to another port) scans should not be your plan of attack. This
will reduce your ports to the ones MS decides to bind services to (123,
135-139, 445, etc)

Actually, I was involved in a really interesting project called CPR at
gatech. Basically it started out as a way to take old 200mhz dell's and
turn them into something useful. A .kix installer loaded RHEL -w-
Nagios, Smokeping and Apache. It was first used for network health
monitoring and reporting, but Nagios is good for lots of stuff. Plus, if
you have one 200mhz box per subnet, you can always offload scanning to
those guys and just have a central DB. (bet condor would help if you
could find a way to add that to your image)


http://www.nagios.org/
http://www.cs.wisc.edu/condor/
http://freshmeat.net/projects/smokeping/
http://www.oit.gatech.edu/comm_files/nl05f_e.html


- - -JP
"Then use data cleaning techniques (mail filters, snort inline,
(local/SMTP/HTTP) AV, Local FW's, Anti[Spy/Mal/Ad]ware, Proxys) the Idea
of Least Privledge, 7 and 1/2 Factor Authentication {which should be
kept separate from Authorization} with apps/os being checked by your
patch management from the client side to keep out the non-pre-auth
attacks, VPN, Network Separation and Segmentation all over IP sec and you
should be OK"
- - -JP (when charging per hour)




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDTy/YEvxlkyrGFHkRAvMlAJ9IGpwkVGNEGd/VjaJNjQE4RwRztgCaAziv
9yA4QUCj4+Y3PGGzrhYE+HA=
=ASbP
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.