- a free IDS
hackimacation / ip v2.1
Look for more of a security "architectural" focus here in the
coming months. I'll be moving away from the "how to hack"
message here. I believe we all agree that is what we want to find in
the tech control world.
Security Engineering: Integrated, not added on.
There is few mistakes bigger than neglecting security in
your network (re)design. Here are some ideas. Add a VLAN on a
non-routable network. This is where you would put a management
network. Have your IDS and firewall management interfaces, out of
band management router and switch ports, and SYSLOG servers here.
Ensure you have the appropriate ACLs on your routers to restrict access to
only management workstations. Point
all logging devices, including routers, to your SYSLOG server.
So now you have all these
devices and lots of alerts. Now what? Now, look into a
Security Incident Management platform. These will take logs and
real-time alerts and normalize them. For instance, your IDS shows an
easy to read port scan. Your firewall logs shows some ACLs being hit
and some unauthorized service requests. Your DNS server logs some Domain
Zone transfer request and filled one of them! Suddenly, your host
IDS (like Tripwire or Dragon Squire) reports system file changes on your
SQL server. Wouldn't it be nice to be able to correlate these alerts
all at the same time? What if you could write an alert script that
would say, "If you see this alert on the IDS, AND the firewall
reports the same source IP address attempting a connection on that
port, AND file1 OR file2 changes on server x, PAGE
me." There is a growing amount of software that does
this. Check out ARCSight and netForensics
Evaluate Everything FIRST!
Anytime you add a device to a network, always ask, "What does
this expose and how can it be made secure without impacting
users?" Each time you add a service on a device, there is
potential to exploit it. The old adage of "If you do not need
it, do not enable it." is always the first step. Determine your
AAA (Authentication, Authorization, and Accounting) schema. Check
with the vendor's documentation to ensure the latest patches are
applied. Check with Security
Focus and others to find what vulnerabilities are publicized.
With the results of those investigations, update/tune your IDS signatures,
firewalls and other security devices. Here is a quick example bullet
list for standing up an internal Exchange server:
- Update the OS with all the latest
- Update Exchange with all the latest
- Turn off all non-essential services
(like IIS or DHCP)
- Add log exporting or an
appropriate host IDS agent
- Update routers/firewalls ACLs to
only allow needed IP addresses and sockets
- Update/tune network IDSs to
accommodate this particular system
- Use Nessus or other vulnerability
scanning software to assess the new box
- Import the Nesses report to your
security devices if supported (Arcsight, netForensics and Dragon IDS
- Add the box to your periodic
vulnerability scan schedule
This list is certainly not
all-inclusive. It will get you started though. Check with your
unit/company's policy to ensure it allows for this and if there are any
other things you need to do. You do have a policy, right?
Wireless (802.11): It can be made secure.
There has been much debate over the insecurity of wireless
LANs and Bridging solutions. This is an affordable AND secure
solution if done properly. There are a few simple steps to take that
can secure your implementation of a wireless device.
First, only buy devices with 128 bit encryption...and
ENABLE IT! Use good password practice when making your key.
Next, on your access points, enable secure access. What this does is
suppress the broadcast of your service set identifier (SSID). This
part is critical to rendering psuedo-sniffers like Netstumbler
ineffective. Third, use RADIUS or 802.1X authentication.
Essentially, if a device's MAC, or in the case of 1X a user, doesn't
authenticate, that MAC's traffic is not accepted on the network.
Lastly, use a VPN
technology with 3DES encryption. Users can use software
clients and bridges can use VPN hard
clients to accomplish this.
For more info, see this
white paper (PDF) which describes a wireless DMZ concept.
Focus - computer forensics and data recovery news and discussion:
Join our lively computer forensics community today and stay current
with other forensic computing professionals through our forum, email
discussion list and monthly newsletter.
has a great vulnerability tool. Full assessment
reporting with fix actions. Leaves huge foot print on IDSs.
version is available
Metasploit Framework is the best point-click-exploit to shell
available. It takes Nessus to the next level. This is basic training
for security/pen test labs.
News Portal - a one stop shop for all the latest in computer
security. Start here!
www.antionline.com will tell you the latest
happenings in the underground, along with providing tools to secure (and unsecure) most
www.securityfocus.com is another mainstream
site. There are lots of tools and information here. Not a beginner site, but
essential for any system administrator.
rain forrest puppy is a
talented programmer who finds several security issues with MS-IIS. Also has perl
scripts to test the new vulnerabilities.
www.infowar.com is a mainstream information warfare
/ information security source page. Has all levels of info from desktop security to
international infrastructure threats.
netscan.org also touches the underground as well as
mainstream. Hope you do not see your organization listed here :-0
www.l0pht.com has lots of NT security tools too.
Packet Storm More mainstream IP/Sec
consulting. Recent change in site's url and look, but has the same
eEye Digital Security Makers
of Retina IIS hacking tool. Has some tools, but is a good site for keeping up with
news and advisories.
www.phrack.com mixes hacking and phreaking, with news,