[Dshield] RE: Running multiple layers

Paul paulclarke at clarkeworks.com
Tue Mar 19 22:20:27 GMT 2002


On Mar. 18, 2002 Charles raid:

>Message: 14
>Date: Mon, 18 Mar 2002 06:28:09 -0800 (PST)
>From: Mrcorp <mrcorp at yahoo.com>
>Subject: Re: [Dshield] XP's Firewall
>To: list at dshield.org
>Reply-To: list at dshield.org
>
>When I attended a SANS conference last year, Stephen Norhtcut and Gene Kim
discussed this very
>topic.  Stephen had mentioned that he had ZA and Blackice and that they
both caught different
>types of attacks and such.  Now I know htat one is an IDS and another is a
Firewall, but the fact
>is that layered security is the best.  Do you really need 3?  I dont think
so, but after a week of
>examing, I think you will find that they each work on catching specific
attakcs and scans.

I'm a lightweight in this company; I run 1 server/gateway (Win2000 Server)
on a cable modem and 3 workstations (2 Win and 1 Mandrake 8.1) on fast
Ethernet.  Last August I was attacked (successfully) and left with a Trojan
or two and a Web site that was, well, leaky.  They (not necessarily the same
scum) also managed to compromise my FTP services (IIS5) as well - I became
an unwilling member of the WAREZ community.  I was not amused.

After some re-evaluation of my firewall setup I installed NeoWatch firewall
to supplement my NAT32+ address translator.  I tightened up my configuration
on the 'anonymous' FTP services and did the MS Lockdown thing for my web
server.  I updated everything to the latest security patches.  It was
amazing how quiet things got after that.

I run 2 firewalls now.  In addition to NeoWatch firewall, I also run Tiny
Personal Firewall on the server with the Status Display running full-time.
I run TPF 'disabled' but with FTP resolving active.  This gives me the most
incredible real-time monitoring of my I/P activity passing through the
NeoWatch/NAT32+ combination both inbound and outbound - listening and
connected - ports.  It's fabulous.  I can watch as frustrated WAREZ hacks
try my FTP services.  I can see the Script-Kiddies locking onto my HTTP
services and eventually fading away a few minutes later after unsuccessfully
attempting to execute scripts in forbidden places, or trying the
buffer-overflow ruse.  It's almost as much fun as watching Will & Grace!

Has anyone else tried this combination?

Paul Clarke






More information about the list mailing list