[Dshield] Re: Risk Assessment
SGray at medford.k12.nj.us
Tue Oct 26 12:28:05 GMT 2004
Question about #9. What sites do you check?
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Mar Matthias Darin
Sent: Friday, October 22, 2004 4:55 AM
To: General DShield Discussion List
Subject: [Dshield] Re: Risk Assessment
Here are the policies I use for both risk assessment and risk avoidance:
1. Firewall is set to default DENY all access. Custom buily by myself.
2. Careful study of all required services and making sure that ONLY
appropriate protocol is referenced.
Example: specs on port 80 say both tcp and udp are used. tcpdump
monitoring stays my web server uses only tcp. udp is blocked. Same
thing with my mail server, tcp only on tcpdump.
I allow only the protocol my servers use irregardless of the specs.
I have spent 4 years studing this.
3. I run Linux and have modified the network areas for SYN cookies,
martians and the like.
4. I limit how much each service can handle based upon load and
5. Severe limits om my email server:
1. No literal ip connections.
2. No dynamic IP connections. This has been carefully studied as
well and uses a series of rules that determine what a dynamic IP
address is. Also has exclusions for trusted sites.
3. Checking the mail headers for HELO forgeeries.
4. Mail is not accepted from any IP address that does NOT have a
reverse DNS lookup.
5. Attachments are heavily screens. Extentions like .scr or .pif
6. 4 virus scanners scan every peice of mail. 20,000+/day.
7. Virus definations are updated once an hour. If for some reason,
my server can not connect to the update site, no mail is
until I can. Automated scripts handle this.
8. No critical software is built with sleepers that slow them down
as the load climbs.
9. I receive all mail as type 1, virus scan, sanitize, so forth,
move it to type 2 where my users access it.
10. I do not allow pop access at all. All mail must be accessed via
webmail with java turned OFF.
6. No ICMP packets allowed at all.
7. Heavy restrictions on my domain server.
8. Because I wrote my own firewall, I took advantage and built a local
domain datebase of all sites that connect to my server and passive
scans with a DNS spider. This database is kept up to date and
consulted first before and domain traffic takes place. Conserves
bandwidth, esp if my system is under a DOS attack. My domain
has 314,834,031 entries as of Thursday, October 21, 2004 at 07:17:44
9. I check at least 20 security sites each and every day and take
10. Windows is ran under VMWare on a linux base with heavy security
blocking all access except to the local drive thru samba with more
11. Log everything. READ the logs everyday.
12. I am vigilant and consistant in policing my system.
13. Routine checks with ShieldsUp (grc.com) and SyGate's port scans
(scan.sygate.com). Also routine checks with ORDB.
In the 5 years I have ran my server, I olny been taken offline by brute
force 3 times (DOS packet flood of at least 10,000 seperate IP
No breeches into the system at all.
Hope that helps.
Bill Matthews writes:
> Hello all,
> Has anyone on the list been asked to help with a formal risk
> assessment for the network?
> I'd like to ask for some general feedback about network risks. A real
> risk assessment will be specific to your network, but for the sake of
> this discussion we could keep them generic.
> For example:
> Without an enforced patch management process the network design can be
> susceptible to vulnerabilities from hackers, worms, and viruses.
> The current vulnerabilities inherent in Windows provides access to the
> network through attacks resulting in the ability to alter, destroy, or
> disclose data.
> Without a process to provide information on security incidents to
> guide the network development and upgrade plan, the network design can
> be susceptible to vulnerabilities .
> Without regular external penetration testing, the network may be
> susceptible to external attacks by hackers.
> Any other thoughts?
More information about the list