Yup, On 27-Sep-01 JW wrote:
At 09:59 AM 9/27/2001 +0100, you wrote:
IMHO, 'security through layers' is a good idea - let us say, for example, that some remote exploit is found in one of the services you do run. Let us also assume that a bad guy manages to find and use that hole to install a rootkit / some other compromise BEFORE you manage to apply the patch :-(
You then have no protection from the bad guy - his rootkit may be listening on a port which you probably would have firewalled with a strict firewall setup.
My take on the above is that if a cracker gets in far enough to install binaries, he can: 1. probably mess with your firewall rules 2. probably shut your firewall off 3. If none of the above, possibly trojan something like your web server or sshd that still has an open port in the firewall rules.
What do you think am I right, or am I missing something important?
This is where (real time-) intrusion detection should enter the game. The first bastion, the firewall-skript, either based on packet filters or stateful inspection, has been brought down or pierced. The next important barriers may consist of: 1. minimal trust-relationship between the firewall and the internal net 2. file integrity checks 3. very basic installation of the firewall, with a monolithic kernel w/ patches (e. g. Openwall), without any dev tools like gcc and gdb 4. security of the hosts in a dmz (if there is one) or the internal net Here we count on the fail-safe period of some kind of security installation. Imagine a Safe for storing backup media like tapes, CDs, etc. These safes should be fire-proof, and some of them are, but only for a fixed period, for 30 mins or one hour at temperatures of 800 centigrees. The same goes for firewalls and security installations in general, they are never unbreakable or 100% safe, but may keep even a skilled attacker busy for a couple of minutes/hours to activate adaequate countermeasures against the intruder, provided all the other security systems apart from the firewall skript are properly implemented and the admins react accordingly.
Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
Boris Lorenz