NTP, ntpdate, and ISP-based firewall

Jeff Vian jvian10 at charter.net
Fri Mar 5 00:46:47 UTC 2004


Bevan C. Bennett wrote:

> jdow wrote:
>
>> A professional computer criminal might check some of the more oddball
>> ports and discover something. <enh> So it happens. I still have formal
>> barriers beyond the basic firewall. If each attacker has say a 
>> probability
>> p of penetrating the internal barriers and a probability of b of 
>> deciding
>> that the void he probed was really something ripe for more probing then
>> I've reduced my probability of getting hacked by b. If b is 1 in 10 and
>> p is one in 1 in 1000 then the combined probability that the NEXT layer
>> will be probed is reduced to about 1 in 10,000. Proper defense is built
>> in layers like an onion. I'm not invulnerable here. But I've worked to
>> reduce the risk by every reasonable factor I can control.
>
>
> Layered defenses are indeed the correct way to build up security.
>
> If your system is truly 100% passive and offers no services at all 
> then favoring DROP over REJECT can offer you some extra stealth at the 
> expense of the ability to easily debug problems through the standard 
> mechanisms like ping, traceroute and tcpdump.  If you are providing at 
> least one service on the system, then using DROP won't help hide you 
> against a simple scan (no professional required) and all your choice 
> does is make your system standards-unfriendly.
>
> It doesn't make me more of a target to return 'ICMP prohibited' 
> packets in reply to probes at prohibited ports. On the contrary it 
> probably makes me less of a target because I clearly have active 
> security measures in place.
>
>> Obscurity is no defense; but, obscurity times firewall times tcpwrapper
>> times passwords times internal firewalls times yatta and more yatta yet
>> is better than without the obscurity, eh?
>
>
> If the obscurity only gives you a false sense of security, while 
> impairing your own ability to monitor and debug your configuration, 
> then it is indeed better without the obscurity.
>
> Put a firewall in front of your local network.
> Run host-based firewalls like iptables.
> Use secure protocols whenever possible.
> Run daemons chrooted when possible, and minimize the daemons you run.
> Use tcpwrappers to further limit access to the daemons you do run.
>
> All these are good layers that do add to your security. Refusing to 
> answer pings doesn't really add much, and just makes your server seem 
> rude. ;)
>
so by your definition, these hosts are rude???? (many more examples 
available)

[jeff]$ ping www.mysql.com
PING www.mysql.com (66.35.250.190) 56(84) bytes of data.
 
--- www.mysql.com ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
 
[jeff]$ ping www.redhat.com
PING www.redhat.com (66.187.232.50) 56(84) bytes of data.
 
--- www.redhat.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5018ms
 







More information about the users mailing list