Date: Wed, 6 Sep 2006 23:27:59 -0500 From: "Travis H." <solinym@gmail.com> To: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter Message-ID: <d4f1333a0609062127qb1f93ddl68fe218d56dfc93c@mail.gmail.com> In-Reply-To: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com> References: <d4f1333a0609061905y709843ecm454509067925a7ca@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/6/06, Travis H. <solinym@gmail.com> wrote: > It seems to me that advising people to focus on detection rather > than prevention is wrong-headed. What are you going to do after you detect > the attacker? And, if your answer is "prevent further intrusions by doing foo", allow me to point out that if you had taken that preventative foo step up front, you wouldn't ever have had to think about it. Now, if you're administering a LAN full of Windows hosts, I think that detection may be your only workable option, or maybe the cheaper option. There is a similar debate on monitoring outside vs. inside the firewall. I'd prefer to do both, but if you have to choose one, I'd do inside, because I don't care how long people beat in futility on the outside. Since knowing wouldn't change how I behave, there's no point in spending effort or time to monitor it. Coincidentally I also thought of the NFS-exported file system checked by a remote system. I always thought you could set a trap by placing a file whose purpose was to pique the intruder's interest enough for him to try reading it. You could monitor the inode times via NFS and trigger an alert if it changes. Another thing one could do is build a Live! CD that you boot periodically to check the system for signs of an intrusion. All the tools would basically be unknown to an intruder. Persistent state could be stored on a flash drive or other removable storage. That may well be the only way to be sure that the detection tools are not compromised, or that the intruder is clever enough to trick any remote monitoring. -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0609062127qb1f93ddl68fe218d56dfc93c>