Nmap Announce mailing list archives
Re: can/should
From: "Mr. Man" <mrman () darkside org>
Date: Wed, 24 May 2000 08:21:11 -0500 (CDT)
The key to detecting suffessful attacks is to have a multi-level security plan that includes various detection methods and a way of correlating the data they produce. Unfortunately, a lot of people view a firewall as a panacea, and forego impementing other security measures, which makes confirmation of an intrusion a bit harder than if you've got a firewall, two IDS boxes, honeypots, and all your servers giving you data you can correlate to confirm an attack. Security starts at the hosts on the network, and everything should be running the latest patch, service pack/hotfix, or security fix. It's imperitive that these be kept up to date, and on a network with a large amount of hosts it can be difficult to keep track of. Sending all logs to a centralized logging server is a good idea as well. And since this is the nmap list we're talking about here, I'd suggest grabbing a copy, and scanning yourself from a dialup connection or what have you to get a feel for what your network looks like to the outside world. I work for a company in the Fortune 100 that throws a lot of money at security products, yet the tools we use the most are probably Nmap and Nessus. That's probably because of a personal preference among us in the security group. Once you've got an idea what your network looks like, decide if you want to add some honeypots to the network. I'm not how sure how familiar you are with the concept, but it's generally just a box that's intentionally very easy to compromise, logs to a centralized logging station (a good idea for any host/router/switch on the network/etc), and is heavily audited. Making it look appealing (like a credit card database) keeps their attention off of your production boxes and gives you time to collect evidence against them while they look around. On the subject of a logging console, there are currently a few product specific ones, and then there are products like OESP by e-security and CMDS by ODS. Actually, the ODS guys have changed their name to Intrusion.com, and CMDS is now Kane Secure Enterprise. I lean toward OESP for intrusion monitoring, and CMDS/KSE for user profiling/anomaly detection. Once you've got the logging server in place, you can have it correlate the data coming from the firewall, the IDS, and the host to get less false-positives and hopefully a better, more precise indicator of failed or successful attacks. If you've got the money, and security is important to you, there are tons of tools out there to make your job a lot easier. Finding them isn't even that hard anymore. __ joseph On Tue, 23 May 2000, Barry Hudson wrote:
As a new firewall admin I have a question for the white hats. I log port scans and do a whois to locate the ISP that owns the ip address. My questions is what else can/should be done. I have no other reason to believe they got through or committed any crime. What else are you guys doing? I hope this is not to far off topic. Barry S. Hudson Network Systems Manager Fredericksburg Savings Bank www.fsbnk.com Business Email - bhudson () fsbnk com All Other Email - barryhudson () compuserve com This email is intended for the addressee only. The material may be privileged and confidential information. If you have received this email in error, please notify me immediately by email and delete the original. Thank you.
Current thread:
- can/should Barry Hudson (May 23)
- Re: can/should Mr. Man (May 24)
- Re: can/should Security (May 24)
- Re: can/should Thomas Reinke (May 24)
- Re: can/should Ola Nyström (May 25)
- Re: can/should Jose Nazario (May 24)
- Re: can/should Eric Hancock (May 24)
- Re: can/should Bennett Todd (May 24)
- <Possible follow-ups>
- RE: can/should Gallicchio, Florindo (2282) (May 24)
- RE: can/should Dion Stempfley (May 24)
- RE: can/should Sean Ellis (May 24)
- RE: can/should Crye, Michael (May 24)
(Thread continues...)