From owner-freebsd-security Tue Apr 13 8: 7:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id CF00D15254 for ; Tue, 13 Apr 1999 08:07:13 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id LAA21502; Tue, 13 Apr 1999 11:05:03 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Sequential TCP port allocation? In-Reply-To: <19990412120126.B15762@homer.louisville.edu> from Keith Stevenson at "Apr 12, 99 12:01:26 pm" To: k.stevenson@louisville.edu (Keith Stevenson) Date: Tue, 13 Apr 1999 11:05:03 -0400 (EDT) Cc: freebsd-security@freebsd.org Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [I can't help too much with the subject matter, but this might be better suited to -security. I'm forwarding this there. However, one comment below.] Keith Stevenson wrote, > We recently had an auditing firm run ISS against our network. The only > "vulnerability" detected on our production FreeBSD box was a problem with > "Predictable Sequence Ports". The description states that this FreeBSD box > allocates its port numbers in sequential order. > > I've looked at several of my 2.2.8 boxes, and sure enough this appears to be > true. Is there a setting or sysctl knob that I can tweak to change the system > to allocate ports in a more random manner? If not, does 3.1-STABLE exhibit > the same behavior? > > (Whether or not this qualifies as a real security vulnerability is irrelevant > to me. Since the auditors labeled this as a "security hole" I have to present > some sort of response to my management.) I think it does matter if it is a 'real' vulnerability, _especially_ when talking to management. If it is going to cost $$$ to fix the problem or go with another solution, one must weigh risks against such a cost. There is no such thing as security-at-all-costs (unless you work for the NSA or sumthin'). If you truly want to be secure, do not connect to the Internet, assign each user random passwords (but make sure they don't write them down on Post-It Notes(tm) on the side of the monitor), and put all of the machines in an accessed controlled area with EM screening to keep in the Tempest radiation. Of course, that's an outlandish example, but one must remember there are always costs and benefits to be weighed. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message