Re: A slap on the wrist...?

["Greg A. Woods" <woods () weird com>]

[ On Thursday, August 31, 2000 at 07:59:51 (-0400), Daniel Medina wrote: ]
> Subject: Re: A slap on the wrist...?
>
> > [ On Sunday, August 20, 2000 at 21:59:23 (+0100), Nexus wrote: ]
> > > Subject: Re: A slap on the wrist...?
> > >
> > >     Am I missing something here, or is that fact that a scripted, sequential
> > > single portscan getting dropped by a firewall a non-issue in the grand
> > > scheme of things ?
> >
> > All you're missing is probably just the fact that there are a lot of
> > overly paranoid, trigger-happy, dudes on this list who don't yet really
> > know how to tell the difference between a real threat and a lamer
> > speeding by in a hot-rod on the next street over...
>
> Still, when you have a security policy, you have to stick  to it.  You can't
> easily decide what the real threat is and what is not, so it's better to be
> hig-strung I think than laid-back.  If I know someone is going through my
> garbage, even if it's just junk, I'd still consider it an invasion of
> privacy...same goes for this situation.

OK, since you chose the analogy let me expand on it a bit in hopes of
providing a basis for reducing the excessive overflowing paranoia that
some people seem to feel every time their firewall logs a packet that
wasn't specifically and directly authorised.

So, yeah, someone's poking in your garbage bin.  That doesn't mean you
go out immediately and arrest him for no other reason.  You still have
to correlate other factors that will corroberate your theory that this
person is indeed a threat and not just the kind of person who pokes
through everyone's garbage looking for nice shiny objects of only
artistic value.  If he's shady looking (eg. too well dressed, has a gun
in his belt, etc.), and isn't also poking through the garbage of the
restaurant next door, and perhaps has been observed wiggling your door
handles in the past, etc., etc., etc., then yes you might just call the
cops and ask them to check him out.

The same thing goes for firewall/IDS logs.  Someone searching for an
open port isn't in any way provably malicious, not even if they're
connecting repeatedly and explicitly to your SSH or IKE port or
whatever.

For instance I made a typo in an IP# just this afternoon as I was trying
to connect to a client's server for the first time (i.e. I expected I'd
be having to accept a new key) with SSH, and I repeatedly typed what I
thought was the correct password.  Only after verifying the password did
I notice that I'd excanged two digits in the IP#.  If the guy on the
other end calls the FBI (or in this case maybe the CIA since I'm not in
the same country) instead of me and manages to get them to do anything
about it, who do you think is going to look a little more stupid than
normal after all the facts are gathered.  Guess who's not going to get
an immediate response from the authorities next time he calls too!

I.e. even if there are active attempts to access a security-sensitive
resource in a very suspicious way there's still no proof in the audit
trail of that event alone that there's any malicious intent whatsoever.

If the guy calls me, and if I don't respond, and if he then e-mails me,
and if I still don't respond, and if I happen to make the same typo
again in a day or to, then .... well I think you get the picture.

Furthermore I would expect any ``professional'' Internet criminal to
have learned by now that they can easily mis-direct the attentions of an
IDS on some script kiddie while they go about their cracking in a much
less detectable manner.  I.e. if you really do have some important risks
to manage then you'd better be really good at identifying the real
threats you face and learn how to identify them in the midst of a wash
of activity from other apparent, unidentified, threats.

The longer this Internet thing continues to grow and flounder around
like it's doing now, the more corroberating evidence you'll have to
produce before you'll begin to get the authorities to even raise an
eyebrow at any accusations of malicious intent.

In other words if you're trying to "stick to" a badly written security
policy then you're going to be wasting a lot of resources while the bad
guys try to fool you in other ways.

I believe it's better to have multi-level IDS, and not just all
automated tools running on their own either.  That way you can be laid
back about (and thus more or less ignore) all the events that only
trigger at the outer level.  Once an outer trigger migrates in to a
level of higher sensitivity then you pay a bit more attention, and so
on.  The trick is of course figuring out how to implement this kind of
"system" in the scope of a reasonable and meaningful security policy!  :-)

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>