Re: can/should

["Mr. Man" <mrman () darkside org>]

The key to detecting suffessful attacks is to have a multi-level security
plan that includes various detection methods and a way of correlating the
data they produce.  Unfortunately, a lot of people view a firewall as a
panacea, and forego impementing other security measures, which makes
confirmation of an intrusion a bit harder than if you've got a firewall,
two IDS boxes, honeypots, and all your servers giving you data you can
correlate to confirm an attack.

Security starts at the hosts on the network, and everything should be
running the latest patch, service pack/hotfix, or security fix.  It's
imperitive that these be kept up to date, and on a network with a large
amount of hosts it can be difficult to keep track of.  Sending all logs to
a centralized logging server is a good idea as well.

And since this is the nmap list we're talking about here, I'd suggest
grabbing a copy, and scanning yourself from a dialup connection or what
have you to get a feel for what your network looks like to the outside
world.  I work for a company in the Fortune 100 that throws a lot of money
at security products, yet the tools we use the most are probably Nmap and
Nessus.  That's probably because of a personal preference among us in the
security group.

Once you've got an idea what your network looks like, decide if you want
to add some honeypots to the network.  I'm not how sure how familiar you
are with the concept, but it's generally just a box that's intentionally
very easy to compromise, logs to a centralized logging station (a good
idea for any host/router/switch on the network/etc), and is heavily
audited.  Making it look appealing (like a credit card database) keeps
their attention off of your production boxes and gives you time to collect
evidence against them while they look around.

On the subject of a logging console, there are currently a few product
specific ones, and then there are products like OESP by e-security and
CMDS by ODS.  Actually, the ODS guys have changed their name to
Intrusion.com, and CMDS is now Kane Secure Enterprise.  I lean toward OESP
for intrusion monitoring, and CMDS/KSE for user profiling/anomaly
detection.

Once you've got the logging server in place, you can have it correlate the
data coming from the firewall, the IDS, and the host to get less
false-positives and hopefully a better, more precise indicator of
failed or successful attacks.

If you've got the money, and security is important to you, there are tons
of tools out there to make your job a lot easier.  Finding them isn't even
that hard anymore.

__
joseph

On Tue, 23 May 2000, Barry Hudson wrote:

> As a new firewall admin I have a question for the white hats.  I log
> port scans and do a whois to locate the ISP that owns the ip
> address.  My questions is what else can/should be done.  I have no other
> reason to believe they got through or committed any crime.  What else
> are you guys doing?  I  hope this is not to far off topic.
>
> Barry S. Hudson 
> Network Systems Manager 
> Fredericksburg Savings Bank 
> www.fsbnk.com 
> Business Email - bhudson () fsbnk com 
> All Other Email - barryhudson () compuserve com 
>
> This email is intended for the addressee only.  The material may be
> privileged and confidential information.  If you have received this
> email in error, please notify me immediately by email and delete the
> original.  Thank you.