[Dshield] Re: Risk Assessment

Mar Matthias Darin BDarin at tanaya.net
Fri Oct 22 08:54:50 GMT 2004


Hello, 

Here are the policies I use for both risk assessment and risk avoidance: 

1.  Firewall is set to default DENY all access.  Custom buily by myself. 

2.  Careful study of all required services and making sure that ONLY their
   appropriate protocol is referenced. 

   Example: specs on port 80 say both tcp and udp are used.  tcpdump
   monitoring stays my web server uses only tcp.  udp is blocked.  Same
   thing with my mail server, tcp only on tcpdump. 

   I allow only the protocol my servers use irregardless of the specs.
   I have spent 4 years studing this. 

3.  I run Linux and have modified the network areas for SYN cookies,
   martians and the like. 

4.  I limit how much each service can handle based upon load and extensive
   testing. 

5.  Severe limits om my email server:
   1.  No literal ip connections.
   2.  No dynamic IP connections.  This has been carefully studied as
       well and uses a series of rules that determine what a dynamic IP
       address is.  Also has exclusions for trusted sites.
   3.  Checking the mail headers for HELO forgeeries.
   4.  Mail is not accepted from any IP address that does NOT have a
       reverse DNS lookup.
   5.  Attachments are heavily screens.  Extentions like .scr or .pif
       are blocked.
   6.  4 virus scanners scan every peice of mail.  20,000+/day.
   7.  Virus definations are updated once an hour.  If for some reason,
       my server can not connect to the update site, no mail is processed
       until I can.  Automated scripts handle this.
   8.  No critical software is built with sleepers that slow them down
       as the load climbs.
   9.  I receive all mail as type 1, virus scan, sanitize, so forth, then
       move it to type 2 where my users access it.
  10.  I do not allow pop access at all.  All mail must be accessed via
       webmail with java turned OFF. 

6.  No ICMP packets allowed at all. 

7.  Heavy restrictions on my domain server. 

8.  Because I wrote my own firewall, I took advantage and built a local
   domain datebase of all sites that connect to my server and passive DNS
   scans with a DNS spider.  This database is kept up to date and
   consulted first before and domain traffic takes place.  Conserves
   bandwidth, esp if my system is under a DOS attack.  My domain database
   has 314,834,031 entries as of Thursday, October 21, 2004 at 07:17:44
   local time. 

9.  I check at least 20 security sites each and every day and take
   appropriate steps. 

10. Windows is ran under VMWare on a linux base with heavy security
   blocking all access except to the local drive thru samba with more
   security. 

11. Log everything.  READ the logs everyday. 

12. I am vigilant and consistant in policing my system. 

13. Routine checks with ShieldsUp (grc.com) and SyGate's port scans
  (scan.sygate.com).  Also routine checks with ORDB. 

In the 5 years I have ran my server, I olny been taken offline by brute 
force 3 times (DOS packet flood of at least 10,000 seperate IP addresses).  
No breeches into the system at all. 

Hope that helps. 

Bill Matthews writes: 

> Hello all, 
> 
> Has anyone on the list been asked to help with a formal risk
> assessment for the network? 
> 
> I'd like to ask for some general feedback about network risks.  A real
> risk assessment will be specific to your network, but for the sake of
> this discussion we could keep them generic. 
> 
> For example: 
> 
> Without an enforced patch management process the network design can be
> susceptible to vulnerabilities from hackers, worms, and viruses. 
> 
> The current vulnerabilities inherent in Windows provides access to the
> network through attacks resulting in the ability to alter, destroy, or
> disclose data. 
> 
> Without a process to provide information on security incidents to
> guide the network development and upgrade plan, the network design can
> be susceptible to vulnerabilities . 
> 
> Without regular external penetration testing, the network may be
> susceptible to external attacks by hackers. 
> 
> Any other thoughts?
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041022/5cc1b74b/attachment.bin


More information about the list mailing list