On Thu, Nov 04, 2004 at 09:12:13PM -0500, Bryan J. Smith wrote:
> On Thu, 2004-11-04 at 18:27, Paul M Foster wrote:
> > They will be (as now) directed to one of the consoles.
>
> How much are you logging? I'm not trying to tell you what to do, but an
> on-disk or, better yet, remote record is always ideal. Best of all
> would be a real-time print record, of course, but that's typically not
> feasible for SOHOs.
>
All failed and some successful packets.
> > The IDS is the logs.
>
> Logs from what? Kernel? Other? I assume you are saying you are doing
> self-analysis. Not exactly ideal in this day and age, but I guess
> that's just me?
>
Logging from iptables. Other logging is not really important to me. If
the machine goes down or panics, I can replace it rather quickly.
> What systems are behind the firewall? The reason I ask this is because
> you have to worry about outgoing traffic too -- e.g., client systems
> that have been compromised via browser or other exploits.
>
Currently, all systems are Linux (Mepis). Java is turned off on all but
one system. We have yet to see a browser compromise, and I'm not really
concerned about it.
> > If I need to, I switch to that console and look at the logs going by.
>
> Please understand I'm not trying to be argumentative. I'm just curious
> why you are limiting the most important part of a network security
> approach -- the logs and auditing.
>
I'm not tempermentally inclined to spend time analyzing logs. Plus, I
haven't the expertise to do it with any rapidity. It's more of a
slogging exercise with me.
> > Understand-- the only service advertised on the box is SSH,
> > and then only to local machines. Otherwise, it NATs and blocks
> > traffic to almost everything else.
>
> The deny-all firewall died as an adequate network security measure
> for even SOHOs years ago. Nowdays you need at least an IDS that
> can analyze logs in real-time, or at least off-line. Especially if you
> have any Windows systems behind the firewall, but it is not always
> limited to Windows (but 99.9% of them target Windows).
>
I suppose if someone really really wanted to hack me, they could somehow
intercept my traffic and analyze it. And I suppose I could then be
hacked. But I consider the likelihood very very remote. I've watched the
traffic go by, and it's mostly nuisance traffic (blind NETBIOS probes
and such).
I decided a long time ago that I'd forego the Cheyenne Mountain school
of thought for security on my home network.
> > My logging level is very high, so it's clear when anything's going on.
>
> I'm confused when you say your "logging level is very high." Your
> screen would be passing on so much information that you could not
> possibly digest it in even real-time. There is such a thing as "log
> dillusion" where you are innudated with so much information that it
> becomes impossible to audit. Especially if you are not using an
> automated, real-time auditing system like an IDS.
>
It is too much to absorb without an IDS. However, I can watch packets go
by and fail, and see what ports, addresses and flags are involved. From
there it's possible to determine if I need to look further into the
situation. The logging is any failed packet and some successful
packets. Certain IP addresses are blocked, and I see that traffic as
well.
> So are you using an IDS and just watching those logs on the console? If
> so, what interfaces are you tapping? Just the LAN? Just curious what
> your approach is. Not questioning it, just curious. I write security
> whitepapers and articles all the time, and am interested in learning
> about new techniques -- especially for SOHO setups.
>
Don't look for new techniques here. I'm not that good. I basically block
all malformed session traffic, only allow properly formed session
traffic from inside the LAN, and block any but already started session
traffic from the internet. Derek's firewall script (on the SLUG FAQ
page) is probably a close match for what I do. I log any failed packet.
Yes, you know far more about security than I do, and your networks are
far more secure than mine. However, I don't have Fort Knox sitting
behind my firewall, and it's not worth it to me to configure things as
though I do. It's a trade-off. I sacrifice some security for ease of
use. I suspect most people approach it that way, good or bad. If I were
the security guy at IBM, I'd learn a lot more and approach things
differently.
Also note that for people who work with security all the time, setting
up security networks is relatively straightforward. For me, it's not. I
used to be an electrician, so working with household electrical
equipment and electricity are simple to me. But to most people, they're
scared of it. Same thing, really.
Paul
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:33:14 EDT