Lessons Learned - 01 Oct 2004

1. Word travels fast in the malicious hacker community when someone figures out that your network is vulnerable. In a matter of hours, you’re likely to see intrusion attempts from all over the globe. After you’ve been compromised, you'll be on the target list for months, if not longer. Intruders return at regular intervals to reassess your vulnerability.

2. Never enable incoming sessions on a NAT Address Reservation. Instead, use the Special Ports tab to redirect external requests for a static address to an internal machine.

3. Use an IP address-spoofing filter to prevent Internet-based users from masquerading as legitimate internal users. In firewall-speak, this means adding a rule that blocks Internet users from connecting to your network when the external address falls within the range of your internal network subnet(s).

4. Monitor outbound connections on your firewall the same way you monitor incoming connections, event and firewall logs.

5. At a minimum, download Active Ports or a similar port monitor and the NMAP port probe utility. You’ll find many other valuable tools on the tool list at http://www.insecure.org. Keep in mind that 20 percent of the tools on the Insecure.org site help you discover the bad guys, and 80 percent of these tools help the bad guys break into your system. Each tool’s description indicates whether its primary purpose is monitoring or snooping. The sophistication of the snooping tools makes you painfully aware of how well-armed intruders can circumvent many defense measures.

6. Probe your firewall and internal servers regularly to assess the effectiveness of your defense. NMAP is a great tool for this purpose—it probes local and remote systems for open TCP and UDP ports using very sophisticated algorithms and time delays. If you probe a network from an external location, to stay within the law, you must ask for and receive permission to do so.

7. Windows 2000 Server keeps several TCP and UDP ports greater than 40000 open although no identifiable service is listening on these ports. Even worse, there is no way to close these ports, short of blocking traffic to and from such a system using an IP Security (IPSec) filter or firewall rule.

8. On an ordinary day, most firewalls will log hundreds of intrusion attempts, often as many as 60 or more in a single minute. If the average time for a first intrusion when you connect a system into the Internet is 20 minutes, systems are more vulnerable than ever. Business and home users should never, ever put a system on the Internet until the machine has a firewall and intrusion notification in place.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.