How "Exactly" a known vulnerability is compromised?

[amir4u]

Thanx a lot tiger shark and all others, I really appreciate your guidence and I sort of feel a bit more confident then I was before. I surely am waitin to get my hands on "them" intruders....... can you recommend me a site(s) that would give some newbies basic lessons on network intrusion (sorry for this blunt question). ok, is www.astalavista.com a good resource for a newbie like me?

[Tiger Shark]

Amir: You are in the right place right now..... Here.....<s>

[amazingzarkon]

"Yes" to everything Tiger Shark just said.

I really like the PIX firewall so I think you've got a great platform to work with there. Like Tiger Shark suggested, you should not permit any traffic from the public network in to any hosts on your network unless you have an explicit need to do so. You should identify as specifically as possible the hosts and type of traffic you will permit to establish an inbound connection. Now if you have a web server that is providing public content, that's going to be open to any source address, but it probably does not need to have more than TCP Port 80 (WWW) traffic permitted. You may have an FTP server that should only be accessible by business partners. In this case you should be able to create access-lists limiting only specific host or network addresses belonging to your partners to come in on TCP Port 21 (FTP). You should strive to avoid "IP ANY" type gaping holes in your configuration.

The second bit of advice I can offer on firewalls is this: If at all possible you should avoid having a host that is accessible through the firewall connected directly to your internal network. Most PIX models support the addition of a DMZ interface. Use this capability if you can afford it. Referring to the previous examples, we would place the webserver and ftp server on the DMZ. This can limit the fallout if someone is able to penetrate a box over a permitted protocol. I don't think I need to tell you about how many webserver exploits run just fine over port 80... Basically what we are doing is creating another layer that must be penetrated. If the webserver becomes "owned" it cannot necessarily be used as a jumping off point to go after your accounting system... Obviously any system that is accessible over the internet in any capacity will be a system that you will want to be extra vigilant in locking down with patches, policies, and configuration.

If you are not logging your firewall at this point. I strongly recommend that you start. There are some fairly pricy products out there designed for logging and alerting. You can also start out by simply runnning the Syslog Daemon on a *nix host. Alternatively, the Kiwi Syslog Daemon for Windows works pretty good too. Logs provide a nice record of everything that goes to the firewall, whether it is permitted or not.

Finally the PIX supports a very limited network IDS function. There are about 50 signatures that ship with the PIX OS. For some reason very few companies I've worked with have turned this feature on. Personally I can't think of a reason not to turn it on for alerting purposes. It's already paid for and it can give you a little more information in the logs. (I strongly recommend turning off some of the ICMP signatures though - 2000, 2001, 2004 for starters).

That's enough on the PIX. With regards to network IDS in general, I am a fan of SNORT. I like it. It works well. It's widely used. It's free. I will also admit that it can take some time to learn it and administer it (though once you've got it running and understand it, you'll know a lot more about IDS). Depending on your situation, you may want to look at a commercial network IDS package. Some vendors to consider might include Cisco, Enterasys, and ISS. All three vendors offer network and host-based IDS solutions, with varying degrees of integration. Be prepared for a little sticker shock - none of these solutions are inexpensive.

Hope this helps, good luck!

[amir4u]

thanx amazing zarkon. it's a very informative post of ur'z.