[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] 'On my Soap Box'

Graeme,

Thanks for your response and adding to my comments.

I agree with most of this and I must emphasize that scans should be run on your local machine
where possible, and of course ensure such activity is in compliance with any terms and conditions
of your hosting contract.

Carrying out scans remotely may be impaired by IDS such as RealSecure doing RSKILLS, this
may cause you to think ahh good the ISP has security, wrong ! ISP's very often have IDS and
firewalls configured to block external inbound Internet attacks only.

What does this mean? It means that in large ISP's once you are dialled into the network you can
bypass the firewalls and other security and identify vulnerabilities which you couldn't otherwise see.

So, do it locally...! and I re-iterate, don't rely on other people. Hire an independent professional or 
better still learn how to do it properly yourself !

Adam Sculthorpe

Internet Security Consultant

*********** REPLY SEPARATOR  ***********

On 06/03/2001 at 11:56 Graeme Fowler wrote:

>I'd like to expand upon a few points Adam raises...
>
>> 0. Take security personally, don't rely on service providers 
>> or assume others care about it !
>
>Absolutely. 'Security through obscurity' is simply not a valid approach;
>assuming that It Won't Happen To You [TM] is probably one of the worst
>things you can do.
>
>> The majority of hosting companies and ISP's do not have the 
>> time or motivation to ensure you have a secure service, which
>> you have every right to have in my estimation. It is very
>> important that you take security as 'your' responsibility.
>
>I suspect you will find that the 'majority of hosting companies and
>ISPs' have a clause in your contract which states explicitly that
>security is your concern, or that you have complete control over the
>machine - which implies that security is your problem and not theirs.
>
>> a) assume your server may be compromised, don't trust netstat 
>> or other OS functions
>
>Your server will, at some point, be scanned/attacked/compromised (in
>that order although not necessarily successfully). It is a machine which
>faces the world. That world contains a whole raft of really irritating
>people who like nothing more than boasting to their acquaintances over
>ICQ that they've just 0wn3d your machine, even though it takes very
>little intelligence to do so.
>
>> b) get nmap and learn how to use it - http://www.insecure.org/nmap
>
>Be careful doing this. You may find yourself on the receiving end of a
>TOS or AUP violation from your ISP or hosting company! If they're the
>sort of company who have an IDS runnning they *will* pick up these scans
>if you fire them from a remote machine.
>IMO it's better to either warn them first or, even better, carry out the
>scan by running the scanner on the target machine. That way the traffic
>never leaves the machine and won't be picked up elsewhere.
>
>Also, take the time to learn just what the report the scanner fires back
>at you really means. Remember that some ISPs/host sites will be running
>a small amount of filtering, and that the word 'filtered' means just
>that...
>
>Other than that, I agree pretty much entirely. Being paranoid is A Good
>Thing.
>
>Graeme
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security

u