Firewall Wizards mailing list archives
Re: Denial of service
From: ICMan <shane_mason () securecomputing com>
Date: Wed, 19 Aug 1998 18:46:31 -0400
Ted Doty wrote:
Anyone who wants to can crash your Internet router. If you've patched it sufficiently that this is not possible, they can crash your ISP (who almost certainly is *not* patched sufficiently). If this doesn't work, they can smurf you from some vulnerable third party. Using some poor slob who's vulnerable to smurf and has a T3 Internet feed is always good for a laugh with the d00dz. This doesn't even begin to address issues like resource poisoning: classic examples of this are email spam and folks tossing flame bait on newsgroups. These "attacks" are more social, but result in fewer people using the poisoned resources. If your network positively has to be up for mission critical applications, don't connect it to the Internet. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Denial of service attacks can, for the most part, be guarded against with good "perimeter security devices" (read: Firewalls) and good security practices. I think that your last assertion is a bit of overkill on the FUD. What is "absolutely mission critical"? Can I connect my network to the Internet with a router "patched sufficiently to make [hacking] impossible" and then put my mission critical stuff on a private, secure WAN? CERN in Geneva provides real-time data feeds from their accellerator lab at 10Mbps to certain research groups. This is "absolutely mission critical", because the data in the stream has to be free from contamination. However, I should still be able to connect my network to the Internet if I take sufficient precautions. For example, I can have a really well locked down Firewall as my Internet gateway, and then also have a really tight Firewall in front of my research network. I have to take very good care to configure the Firewalls and routers correctly, and I need to make damn sure that the latest security patches are applied, but if my Internet connection goes down because someone blew my ISP away, I care very little because the data feed that is my bread and butter is coming from a different source. Other examples of this are retail chains that have hooks to credit card companies, investment houses that have hooks to exchanges, etc.
From the dial-in side, I need a strong method of identification, perhaps
token or certificate based, but definately cryptographic in nature, to prevent hackers from entering on dial-in. Good employee awareness programs, an enforced security policy, and basic physical security should deal for the social engineers in the group, covering off all threats except for funded tiger teams. (Then I need to think more about hiring ex-agency people to help manage physical security.) Don't forget, security is about risk management, not risk eradication. Risk eradication is impossible, leaving out death as a solution. Besides, we want security to protect our ability to do business, not to destroy our ability to do business. ICMan
Current thread:
- Denial of service City (Aug 17)
- Re: Denial of service Joseph S. D. Yao (Aug 18)
- Re: Denial of service Kevin T. Shivers (Aug 18)
- RE: Denial of service Tupshin Harper (Aug 18)
- Re: Denial of service Roger Nebel (Aug 19)
- RE: Denial of service Ted Doty (Aug 19)
- RE: Denial of service David C Niemi (Aug 19)
- RE: Denial of service Ted Doty (Aug 23)
- RE: Denial of service David C Niemi (Aug 23)
- RE: Denial of service Marcus J. Ranum (Aug 23)
- Re: Denial of service ICMan (Aug 19)
- Re: Denial of service Ted Doty (Aug 23)
- Re: Denial of service Gigi Sullivan (Aug 19)
- <Possible follow-ups>
- Re: Denial of service HASSAN . KARIM (Aug 19)
- Re: Denial of service Frank de Jong (Aug 19)
- Re: Denial of service Logic Man (Aug 19)
- RE: Denial of service Randy Samos (Aug 23)
- RE: Denial of service Biggerstaff, Craig T (Aug 24)
- RE: Denial of service Jim Wamsley 303-673-8163 (Aug 25)