[Dshield] RE: Running multiple layers
paulclarke at clarkeworks.com
Tue Mar 19 22:20:27 GMT 2002
On Mar. 18, 2002 Charles raid:
>Date: Mon, 18 Mar 2002 06:28:09 -0800 (PST)
>From: Mrcorp <mrcorp at yahoo.com>
>Subject: Re: [Dshield] XP's Firewall
>To: list at dshield.org
>Reply-To: list at dshield.org
>When I attended a SANS conference last year, Stephen Norhtcut and Gene Kim
discussed this very
>topic. Stephen had mentioned that he had ZA and Blackice and that they
both caught different
>types of attacks and such. Now I know htat one is an IDS and another is a
Firewall, but the fact
>is that layered security is the best. Do you really need 3? I dont think
so, but after a week of
>examing, I think you will find that they each work on catching specific
attakcs and scans.
I'm a lightweight in this company; I run 1 server/gateway (Win2000 Server)
on a cable modem and 3 workstations (2 Win and 1 Mandrake 8.1) on fast
Ethernet. Last August I was attacked (successfully) and left with a Trojan
or two and a Web site that was, well, leaky. They (not necessarily the same
scum) also managed to compromise my FTP services (IIS5) as well - I became
an unwilling member of the WAREZ community. I was not amused.
After some re-evaluation of my firewall setup I installed NeoWatch firewall
to supplement my NAT32+ address translator. I tightened up my configuration
on the 'anonymous' FTP services and did the MS Lockdown thing for my web
server. I updated everything to the latest security patches. It was
amazing how quiet things got after that.
I run 2 firewalls now. In addition to NeoWatch firewall, I also run Tiny
Personal Firewall on the server with the Status Display running full-time.
I run TPF 'disabled' but with FTP resolving active. This gives me the most
incredible real-time monitoring of my I/P activity passing through the
NeoWatch/NAT32+ combination both inbound and outbound - listening and
connected - ports. It's fabulous. I can watch as frustrated WAREZ hacks
try my FTP services. I can see the Script-Kiddies locking onto my HTTP
services and eventually fading away a few minutes later after unsuccessfully
attempting to execute scripts in forbidden places, or trying the
buffer-overflow ruse. It's almost as much fun as watching Will & Grace!
Has anyone else tried this combination?
More information about the list