Re: ssh and ids

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-06-21 at 07:43, Gary Flynn wrote:
> The Juniper/Netscreen IDP comes with a feature called Profiler
> that you can set to discover and alert on new port or host
> appearances. You set it to discover whats normal, then turn on
> alerting.

Before we're diving too far into the list of IDS/IPS that can profile
traffic, I just want to remind everyone that a good firewall
configuration does exactly that; it creates a profile and prevents
unauthorized connections.

It seems these days we're quick to jump to IDS/IPS systems to have them
detect and prevent unauthorized and/or abnormal traffic. It seems we're
forgetting that a correctly configured firewall does the same thing. It
prevents backdoors into web servers, it prevents web servers to
establish sessions to the outside.

The IDS needs to catch those conditions where for example an attacker
launches a cryptcat shell from the web server to the outside, and I
agree that the IDS needs to know the normal traffic profile for that
purpose. But guess what... your firewall (which is blocking said
shell-shovel-attempt) can detect it as well. Not just that, it can
prevent it!

It seems nowadays we tend to augment lax and leaky firewalls with IPS
systems when we should really go back and tighten our firewall rule
sets.


Now that I'm done ranting, let me ask you: How do you detect a listening
port on a rooted server when no one is able to send packets to that
port? 

(Seems like nmap would do the trick, and is cheaper than profiling IDS
appliance.)


Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part