Re: [fw-wiz] Acqusition of time

From: Paul D. Robertson (proberts@patriot.net)
Date: 01/29/03 

From: "Paul D. Robertson" <proberts@patriot.net>
To: Brian Monkman <bmonkman@comcast.net>
Date: Wed Jan 29 10:28:33 2003

On Wed, 29 Jan 2003, Brian Monkman wrote:

> Folks - I'm having a discussion with a few people and we have a
> question that we are interested in getting comments from the list on.
>
> Are there any situations where a firewall's acqusition of time
> could/should be from a network time source? Not necessarily a public
> source, it could be an "internal" time source.

Could be, sure.

>
> If there are situations where this makes sense, should these same
> firewalls have battery backed up clocks on board or would that be
> unnecessary?

Imagine you had some SQL servers which got hit with a worm that
propogated, and you allowed all outbound traffic. Let's say the worm
generated enough traffic to fill up the state table on the firewall, and
due to a bug it ended up rebooting. Now, the internal network flood is
still going on. An attacker decides to take advantage of the mayhem to
launch a real attack against you, and the NTP server isn't reachable
because the switch it's sitting on has 8 vulnerable neighbors plugged into
it....

What time gets written to the logs when the attack commences?

Worse yet, let's say it's protecting a small business or a home and
doesn't have all the good constant power that we tend to see in large
companies...

While I've often said that it's a good thing to be able to take a cheap
GPS and add a stratum 1 timeserver to a network, any time you add an
external dependency, you really, really need to think through the
scenerios, especially if you're going to have to take log files to court.

Paul
ps: Posting from home doesn't improve your odds ;)
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
    ... > access to my server (see snippet from log files ... Use dig to get a clue about who owns the network that is attacking you: ... Sending a complaint to them ... The log you show appears to be an automated attack. ...
    (freebsd-questions)
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)
  • RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
    ... The technology sounds interesting but I have doubts regarding the ... If I for example scan for port 80, ... How do you deal with real network problems that prevent legitimate ... put the product in alert mode waiting for an attack? ...
    (Focus-IDS)