Re: Securing of systems....

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

Actually, "keeping the kids from bouncing off" is a pretty good idea.  if
you get a stateful inspection firewall (like an OS running ipfw) in front of
the host, separating it from the rest of the network, common practice is to
not allow ANY connection to be initiated by the server.  Data can still get
out if it's requested, but a syn won't make it out through the firewall.
This is a technique i've been using for a while on my DMZ and especially the
honey pots.  I *USED* to be a moron and use local firewall rules, which
worked great until I let someone poke around till they got root... then they
whacked the rules...


-----Original Message-----
From: Taneli Huuskonen [mailto:huuskone () CC HELSINKI FI]
Sent: Thursday, August 03, 2000 1:40 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Securing of systems....


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ryan Yagatich <ryagatich () CSN1 COM> egrapse:

[...]
> another firewall (listed below are some examples). and then the most
> important part is to make sure you have removed the "hacker tools" like
> telnet, compiling software, etc... this way if someone were to telnet to
> your box, they would not be able to telnet or hit any of your other
> machines.

That might stop script kiddies, but if the cracker happens to be a
hacker, it'll only slow her down.  Nevertheless, it's a good idea; just
don't rely too much on it.

Regards,
Taneli

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOYm8Wl+t0CYLfLaVEQI5GACgwVfvEdqhpQkaZJ3pLOv8gezHv0kAn03w
8h/vkPKbzYs7SXImfwgvn0W2
=IydQ
-----END PGP SIGNATURE-----
--
I don't   | All messages will be PGP signed,  | Fight for your right to
speak for | encrypted mail preferred.  Keys:  | use sealed envelopes.
the Uni.  | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/