Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do you fight an attack in progress?

From: Rik Harris <Rik.Harris () fulcrum com au>
Date: Tue, 23 Sep 1997 13:03:21 +1000
Fri, 19 Sep 1997 GMT, "Grigorof, Adrian" wrote:


First, "Thanks!" to all who replied to my post. Maybe we can improve our
escalation procedures for such events by sharing them. But, be aware,
the real hackers get these messages too.

Unplugging the network cable from the firewall is probably something you
may want to avoid in a production environment, but obviously (and
recommended even by firewall developers) the most "secure" solution.

Here is what I am doing in such cases (fortunately I have only got
attacks from people hired to do so by the management):


[ some good stuff deleted ]

I can't say anything for other organisations, but in Australia,
AUSCERT seems to do a good job of following up attacks or probes of
our systems.  We often report probes (well, generally probe patterns)
to AUSCERT and have always had a good response.  Reporting to local
incident response teams also allows them to keep better statistics
about the attack patterns and sources of attacks on a much wider scale
than would be possible for a single company.  We certainly don't have
the resources to make these kinds of followups, but AUSCERT do.  (Hmm,
a prime difference between Australia and other places _may_ be that we
pay AUSCERT a subscription fee for this service).

rik.
--
   /\    The Fulcrum Consulting Group           Rik Harris - Senior Consultant
  /\O\   Professional services for operation         rik.harris () fulcrum com au
 /   /\  of a networked computing environment              ph: +61-3-9621-2100
/o   | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia  fx: +61-3-9621-2724
Previous By Date Next
Previous By Thread Next

Current thread: