Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Sep 2006 23:27:59 -0500
From:      "Travis H." <solinym@gmail.com>
To:        freebsd-security@freebsd.org
Subject:   Re: comments on handbook chapter
Message-ID:  <d4f1333a0609062127qb1f93ddl68fe218d56dfc93c@mail.gmail.com>
In-Reply-To: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>
References:  <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 9/6/06, Travis H. <solinym@gmail.com> wrote:
> It seems to me that advising people to focus on detection rather
> than prevention is wrong-headed.  What are you going to do after you detect
> the attacker?

And, if your answer is "prevent further intrusions by doing foo", allow
me to point out that if you had taken that preventative foo step up front,
you wouldn't ever have had to think about it.

Now, if you're administering a LAN full of Windows hosts, I think that
detection may be your only workable option, or maybe the cheaper
option.

There is a similar debate on monitoring outside vs. inside the firewall.
I'd prefer to do both, but if you have to choose one, I'd do inside,
because I don't care how long people beat in futility on the outside.

Since knowing wouldn't change how I behave, there's no point in
spending effort or time to monitor it.

Coincidentally I also thought of the NFS-exported file system checked
by a remote system.  I always thought you could set a trap by placing
a file whose purpose was to pique the intruder's interest enough for
him to try reading it.  You could monitor the inode times via NFS
and trigger an alert if it changes.

Another thing one could do is build a Live! CD that you boot periodically
to check the system for signs of an intrusion.  All the tools would basically
be unknown to an intruder.  Persistent state could be stored on a flash
drive or other removable storage.  That may well be the only way to be
sure that the detection tools are not compromised, or that the intruder
is clever enough to trick any remote monitoring.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0609062127qb1f93ddl68fe218d56dfc93c>