Re: [fw-wiz] Security Audit and Priorities

From: Paul Robertson (proberts_at_patriot.net)
Date: 07/13/03

  • Next message: lists_at_notatla.org.uk: "Re: [fw-wiz] Security Audit and Priorities"
    To: Paul Ammann <pammann@execomm.net>
    Date: Sun, 13 Jul 2003 01:11:36 -0400 (EDT)
    
    

    On Sat, 12 Jul 2003, Paul Ammann wrote:

    > Hi
    >
    > I will be starting a new job in the next few weeks. I went to Netcraft and
    > typed in the company's URL and was amazed by what I saw: the version of
    > Linux, the version of Apache, the version of OpenSSL... literally everything
    > about their web servers.
    >
    > I have a lot of experience with firewalls, but I'll profess my ignorance in
    > other security areas. So, here are my two questions:
    >
    > 1. What is the best way to block Netcraft from obtain all this information.
    > Are there Open Source solutions that would be better than commercial
    > solutions?

    Quick answer: Don't put Web servers on the Internet.

    Obscurity won't help you much, keep your servers up to date, especially if
    they're facing the real world, turn off all the stuff that's not strictly
    necessary, and then you won't have to worry too much about banners and/or
    fingerprinting. You can block Netcraft's spidering, but then what about
    former employee's resumes, technical support questions, etc? Well-managed
    systems have very small windows of vulnerability, and the more you can
    turn off, the smaller that window becomes.

    > 2. The company has acknowledged they are lacking in security. What is the
    > best method for doing a security audit?

    Figure out what's exposed, make sure it's not anything that shouldn't be,
    and make sure it's up to date, then ensure that the security policy
    matches the needs and wishes of the organization and make sure that it's
    being correctly implemented.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: lists_at_notatla.org.uk: "Re: [fw-wiz] Security Audit and Priorities"