-
December 2nd, 2004, 05:44 PM
#1
Senior Member
Help! Need Audit Reponse Asap!!!
****'s scanning process determines whether the IP address is reachable. If the IP address is reachable, more comprehensive scans are then performed. ****’s External Intrusion Testing revealed traceroute vulnerabilities on each server, and an ICMP vulnerability on the ***.***.**.*** host. These are all low-level vulnerabilities.
Recommendation
Prevent or limit external tracerouting into internal networks using packet filtering.
This is from an external Audit just done there is a aplce for my reponse but I am not sure what to say...
Romans 7:14-20
14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.
-
December 2nd, 2004, 06:03 PM
#2
I think your response should be:
I will be implementing your recommendations as soon as possible.
Then do some research on packet filtering or ask questions here on how to configure your systems to meet their recommendations.
Cheers:
-
December 2nd, 2004, 10:12 PM
#3
Did you have permition to run this audit?
-
December 2nd, 2004, 10:43 PM
#4
Cybrid: Yeah.... "That's typical auditorspeak"
Jason:
It sounds to me like you allow ping through the firewall to the servers in question... You shouldn't. I allow pings as far as my border router only to prove that the T1 itself is up. After that there are other ways of determining whether the boxes themselves are up. Block ping at your firewall and tell them that is what you have done. It's not foolproof but it will see if they know what they are doing. If they say "good, all fixed" never use them again. The proper way to do it would be to block ping inbound _and_ block ICMP Time Exceeded messages outbound for those that would try to use known open ports on the firewall to the servers to determine the internal structure.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 2nd, 2004, 10:53 PM
#5
Cybrid: Yeah.... "That's typical auditorspeak"
Cool...thanks I just thought it was a random audit by someone who found vulnerabilities and doesn't know how to inform them.
You can also try running a couple of auditing tools on your own, see if they might have missed something....after you follow Tiger's suggestion to see if they know how to tie their shoes .
Take care.
-
December 3rd, 2004, 12:41 AM
#6
Junior Member
Having been through and performed several audits, your recommendation should be something like:
ICMP and ICMP echo will be disabled via the implementation of xxx filtering using xxx technology. We anticipate completion of these additional filters by xxx date.
-----
If you already have a firewall in place, just turn off all ICMP/Ping and ICMP echo inbound. Regardless of the audit findings, its the prudent security approach anyway.
Good luck! Failed audits have led to terminations before - especially now with SOX404 hanging out there.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|