[Dshield] DShield vs. Symantec: new features?

Pete Cap peteoutside at yahoo.com
Thu Jan 8 20:24:23 GMT 2004


Seems to me that the best way to test this scenario would be to set up a network and try implementing this...otherwise the amount of downtime and the effectiveness of the technique remain in the realm of speculation.
 
Pete

Sylvester <ervdv at pandora.be> wrote:
On Thursday 08 January 2004 19:34, Mark Tombaugh wrote:
> On Thursday 08 January 2004 10:33 am, Erwin Van de Velde wrote:
> > -You have a webserver running of the type that is being attacked: closing
> > the port protects you, till you have taken appropriate measures
>
> In the world of 99.999% uptime this isn't an option. Plus, what if the
> service isnt even vulnerable and it goes down defensively? This system
> would need to be aware of the vendor and version of all services listening
> on every machine to be effective..

I mentioned this further on in my posting. In the case you have no vulnerable 
software running, the sysadmin can quickly reopen the port. Of course this 
will give a little downtime (5 minutes max if you have a sysadmin doing his 
job), but on the other hand, how many severe threats have we seen last year? 
I said this measure should only be taken against severe threats... If you had 
MSSQL running at the outbreak of Slammer, you could have been taken down 
anyway. If infection could have been avoided, internal networks could still 
use the server... This can be a big gain if the employees need the network to 
do there job. The cost of a temporarily closing of the port will be much less 
than the cost of checking all machines for infection while the employees can 
not work. As I'm speaking of severe threats only, chances are that even if 
your server was not vulnerable and the port to it remained open on the 
firewall, that traffic was so heavy, that clients couldn't connect to it 
anyway...
And even if twice a year a serious threat occurs, targetting a service on a 
port that you use for services to the public, let's say causing 20 minutes 
downtime all together (sysadmin each time just going to the bathroom :-)), 
this cannot outweigh the troubles you have when you are infected (causing a 
lot more downtime). Viruses spread more rapidly every year, having more 
severe impact on the internet traffic, I think it is only a matter of time 
before we see a virus that causes the same damage to the system as the 'I 
love you' virus and spreading as fast as Slammer. Keeping those out of the 
door can save a lot of money....
And even Blaster could have caused you a lot of troubles, if your LAN was 
infected... Detecting and cleaning all infected systems isn't that wonderful 
too. This could have been kept out of the door if one had only known it 
before (or configured the firewall properly :-) ). Closing the ports it used 
would have caused no troubles for almost any service.

> And then theres the potential abuse factor...
You allways have to trust somebody :-) If you read it on isc.sans.org and act 
then, how can you be sure the site has not been defaced?

Signing is the (easy) key to solve the trust problems, or using SSL...

Greetings,
Erwin Van de Velde
Student of University of Antwerp
Belgium

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes


More information about the list mailing list