[Dshield] DShield vs. Symantec: new features?
ervdv at pandora.be
Thu Jan 8 19:30:10 GMT 2004
On Thursday 08 January 2004 19:34, Mark Tombaugh wrote:
> On Thursday 08 January 2004 10:33 am, Erwin Van de Velde wrote:
> > -You have a webserver running of the type that is being attacked: closing
> > the port protects you, till you have taken appropriate measures
> In the world of 99.999% uptime this isn't an option. Plus, what if the
> service isnt even vulnerable and it goes down defensively? This system
> would need to be aware of the vendor and version of all services listening
> on every machine to be effective..
I mentioned this further on in my posting. In the case you have no vulnerable
software running, the sysadmin can quickly reopen the port. Of course this
will give a little downtime (5 minutes max if you have a sysadmin doing his
job), but on the other hand, how many severe threats have we seen last year?
I said this measure should only be taken against severe threats... If you had
MSSQL running at the outbreak of Slammer, you could have been taken down
anyway. If infection could have been avoided, internal networks could still
use the server... This can be a big gain if the employees need the network to
do there job. The cost of a temporarily closing of the port will be much less
than the cost of checking all machines for infection while the employees can
not work. As I'm speaking of severe threats only, chances are that even if
your server was not vulnerable and the port to it remained open on the
firewall, that traffic was so heavy, that clients couldn't connect to it
And even if twice a year a serious threat occurs, targetting a service on a
port that you use for services to the public, let's say causing 20 minutes
downtime all together (sysadmin each time just going to the bathroom :-)),
this cannot outweigh the troubles you have when you are infected (causing a
lot more downtime). Viruses spread more rapidly every year, having more
severe impact on the internet traffic, I think it is only a matter of time
before we see a virus that causes the same damage to the system as the 'I
love you' virus and spreading as fast as Slammer. Keeping those out of the
door can save a lot of money....
And even Blaster could have caused you a lot of troubles, if your LAN was
infected... Detecting and cleaning all infected systems isn't that wonderful
too. This could have been kept out of the door if one had only known it
before (or configured the firewall properly :-) ). Closing the ports it used
would have caused no troubles for almost any service.
> And then theres the potential abuse factor...
You allways have to trust somebody :-) If you read it on isc.sans.org and act
then, how can you be sure the site has not been defaced?
Signing is the (easy) key to solve the trust problems, or using SSL...
Erwin Van de Velde
Student of University of Antwerp
More information about the list