From owner-freebsd-security Sun Apr 8 0:59:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from lorenza.abulafia.com (dsl081-080-168.lax1.dsl.speakeasy.net [64.81.80.168]) by hub.freebsd.org (Postfix) with ESMTP id 61CB237B42C for ; Sun, 8 Apr 2001 00:59:16 -0700 (PDT) (envelope-from jal@lorenza.abulafia.com) Received: (from jal@localhost) by lorenza.abulafia.com (8.11.3/8.10.0) id f387wi702930 for freebsd-security@FreeBSD.ORG; Sun, 8 Apr 2001 00:58:44 -0700 (PDT) Date: Sun, 8 Apr 2001 00:58:44 -0700 From: jal To: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010408005844.A2857@lorenza.abulafia.com> References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <05b901c0bfb8$d79a1160$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 04:16:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 04:16:55PM -0700, John Howie wrote: > > [...] If I force would-be > intruders to have to defeat/circumvent individual measures such as > firewalls/NAT boxes just to determine my topologies before they can even > make an attempt at an attack on servers, then most will give up and go away. Without (dis)agreeing with John or anyone else, I feel like this is the time to point out that security is a cost, to be evaluated like any other. At a certain point, the average business needs to ask itself whether paranoia[1] makes any sense in spent resources, compared with the measures taken to secure weaker links, not to mention the cost of losing whatever is being protected in the first place. So you have the most kick ass network of IDS boxes watching your heirarchical firewalls, and have deployed the right protocols, LLE, etc. in all the right places. How's your phone system? How hard is it to trick someone's assistant, or the Extremely Important Person themself? What does it mean if that works? If you reply that that isn't a techincal problem, you don't get security, which is only ever approaches being half technical in nature. WRT the original problem, my suggestion is to ideally treat the IDS as an island, cut the TX pair, assume it can be flooded/compromised, and write logs in a way that makes it difficult to alter them without being noticed. If the box has to transmit data, you begin making different trade-offs involving the network security of your security network. Look at those closely, but keep an eye on the value of what you're protecting. In general, I'd say that if you have legitimate reason to be paranoid enough to build this sort of thing, you have legitimate reason to not trust private networks, etc. to hide you. Again, policy matters a lot - did some random admin leave a laptop connected to the "secure" network when they ran off to fix some email problem? If you worry about things on this level, the network structure is not your biggest problem. -j [1] Intel "only the paranoid survive" Corp. was given a nice demonstration of internal security issues by Randall Schwartz. Leaving aside your view of what he did, it makes a nice object lesson on the limitations of a mostly technical (followed by legal, unfortunately) approach to security problems, some of which they apparently didn't know they had. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message