Re: ssh and ids

From: Frank Knobbe (frank_at_knobbe.us)
Date: 06/22/04

  • Next message: Mike Frantzen: "Re: possible causes of source and destination ip from external network" 
    To: Gary Flynn <flynngn@jmu.edu>
Date: Tue, 22 Jun 2004 10:11:03 -0500

    On Mon, 2004-06-21 at 07:43, Gary Flynn wrote:
    > The Juniper/Netscreen IDP comes with a feature called Profiler
    > that you can set to discover and alert on new port or host
    > appearances. You set it to discover whats normal, then turn on
    > alerting.

    Before we're diving too far into the list of IDS/IPS that can profile
    traffic, I just want to remind everyone that a good firewall
    configuration does exactly that; it creates a profile and prevents
    unauthorized connections.

    It seems these days we're quick to jump to IDS/IPS systems to have them
    detect and prevent unauthorized and/or abnormal traffic. It seems we're
    forgetting that a correctly configured firewall does the same thing. It
    prevents backdoors into web servers, it prevents web servers to
    establish sessions to the outside.

    The IDS needs to catch those conditions where for example an attacker
    launches a cryptcat shell from the web server to the outside, and I
    agree that the IDS needs to know the normal traffic profile for that
    purpose. But guess what... your firewall (which is blocking said
    shell-shovel-attempt) can detect it as well. Not just that, it can
    prevent it!

    It seems nowadays we tend to augment lax and leaky firewalls with IPS
    systems when we should really go back and tighten our firewall rule
    sets.

    Now that I'm done ranting, let me ask you: How do you detect a listening
    port on a rooted server when no one is able to send packets to that
    port?

    (Seems like nmap would do the trick, and is cheaper than profiling IDS
    appliance.)

    Cheers,
    Frank

  • Next message: Mike Frantzen: "Re: possible causes of source and destination ip from external network"

    Relevant Pages