RE: Scanner and Firewall?

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: John Nanas [mailto:JohnN () review com]
> Sent: Tuesday, July 13, 1999 10:15 AM
> To: firewall-wizards () nfr net
> Subject: Scanner and Firewall?
>
>
> Hi all-
>
> Sorry for the simple question, but I'm still relatively new 
> at this, and all
> the reading I could do didn't fully answer my question.

I'm pretty new too, ubt I can help with some issues; I assume others will
correct any mistakes.

> I'm designing a new network which my company will be 
> co-locating offsite.
> I've spec'd out all the good stuff, including a FW-1 box to 
> protect the
> network, but find myself facing this question - do I need 
> scanning software
> in addition to the firewall?  I know that FW-1 has pretty 
> comprehensive
> software (much more than I've taught myself to use, thus far) 
> with all the
> logging, but do I gain something by adding another scanner to 
> the firewall
> box?

If, by scanner, you mean IDS, the best way to judge that is to evaluate the
cost of attempted intrusions. I run an ids behind my firewall host to make
sure that my policy is being applied properly.  I do not run an ids outside
my firewall, as I do not have the time to check every ping sweep or BO scan
anyways; however, ideally I think that's a pretty good idea.

If, by scanner you mean some sort of vulnerability scan, then ysea, I think
periodic scanning of your hosts from both inside and outside your network
borders can help a) identify what a potential intruder would see and b)
determine whether you can detect these casual scans, which are often the
first stage of an actual attempt. Again, you need to figure out first how
much you are willing to spend (which usually means attatching a dollar
amount to security, which has always been the hardest part of the job for
me).

> Also, does anyone know if there's a book that's accepted as 
> the bible of
> network security (or Internet security)?  I've seen a few 
> texts, but some of
> what I've seen thus far are only applicable to Unix networks 
> (which, I have
> the unfortunate position of being in an all NT shop) or are somewhat
> outdated..

Network security is network security; the only difference between OS's
ultimately are the specific exploitable weaknesses (imo, perhaps others will
disagree).  And since those change, your best bet is to subscribe to an nt
mailing list. I recommend ntbugtraq and ntsecurity (go to
www.ntbugtraq.com).  There are also a couple of good white papers on
"hardening" an nt box (haha, I know, but it DOES help), one from Trusted
Systems, which may help you.  The biggest hassle with nt security, though,
is the lack of "open" discussion; witness the paranoia that surrounds the
disclosure of a new bug in the nt world.

As I said though, I have found concepts from the Unix world to be very
helpful in the nt world, the only difference for me being in the specific
weaknesses to address. The white papers I reffered to can be found at
www.microsoft.com/security. 

HTH

--
Henry Sieff
Netwerküberkommander
Orthodontic Centers of America
(504) 834-4392 ext.135

> Thanks for any help,
> John Nanas
> Network Systems Engineer
> The Princeton Review