Re: Denial of service

[ICMan <shane_mason () securecomputing com>]

Ted Doty wrote:
> Anyone who wants to can crash your Internet router.  If you've patched it
> sufficiently that this is not possible, they can crash your ISP (who almost
> certainly is *not* patched sufficiently).  If this doesn't work, they can
> smurf you from some vulnerable third party. Using some poor slob who's
> vulnerable to smurf and has a T3 Internet feed is always good for a laugh
> with the d00dz.
>
> This doesn't even begin to address issues like resource poisoning: classic
> examples of this are email spam and folks tossing flame bait on newsgroups.
>  These "attacks" are more social, but result in fewer people using the
> poisoned resources.
>
> If your network positively has to be up for mission critical applications,
> don't connect it to the Internet.
>
> - Ted
>
> -----------------------------------------------------------------------
> Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
> 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
> Atlanta, GA 30328  USA                       | Web: http://www.iss.net
> -----------------------------------------------------------------------
> PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

Denial of service attacks can, for the most part, be guarded against
with good "perimeter security devices" (read: Firewalls) and good
security practices.

I think that your last assertion is a bit of overkill on the FUD.  What
is "absolutely mission critical"?  Can I connect my network to the
Internet with a router "patched sufficiently to make [hacking]
impossible" and then put my mission critical stuff on a private, secure
WAN?  CERN in Geneva provides real-time data feeds from their
accellerator lab at 10Mbps to certain research groups.  This is
"absolutely mission critical", because the data in the stream has to be
free from contamination.  However, I should still be able to connect my
network to the Internet if I take sufficient precautions.

For example, I can have a really well locked down Firewall as my
Internet gateway, and then also have a really tight Firewall in front of
my research network.  I have to take very good care to configure the
Firewalls and routers correctly, and I need to make damn sure that the
latest security patches are applied, but if my Internet connection goes
down because someone blew my ISP away, I care very little because the
data feed that is my bread and butter is coming from a different source.

Other examples of this are retail chains that have hooks to credit card
companies, investment houses that have hooks to exchanges, etc.

> From the dial-in side, I need a strong method of identification, perhaps
token or certificate based, but definately cryptographic in nature, to
prevent hackers from entering on dial-in.  Good employee awareness
programs, an enforced security policy, and basic physical security
should deal for the social engineers in the group, covering off all
threats except for funded tiger teams.  (Then I need to think more about
hiring ex-agency people to help manage physical security.)

Don't forget, security is about risk management, not risk eradication. 
Risk eradication is impossible, leaving out death as a solution. 
Besides, we want security to protect our ability to do business, not to
destroy our ability to do business.

ICMan