another ra oddity...
cbullard at nortelnetworks.com
Fri Oct 8 07:51:27 EDT 1999
Thanks for all the mail, and its good to see that
you're getting something out of Argus, because you certainly
have put a lot in ;o)
One note, the US has announced relaxation of their
encryption export and import policies, so the "made in the
USA" may be not be a barrier after Nov 1.
Hope all is well,
> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Thursday, October 07, 1999 4:51 PM
> To: Bullard, Carter [NYPAR:DS46-I:EXCH]
> Subject: Re: RE: RE: another ra oddity...
> Again, thanks for your comments. Figuring out the best ways of
> using tools like argus are certainly non trivial, sigh...
> I am pleased that I chose a file naming scheme that sort
> lexically into
> time order so I am doing a lot of
> "join(' -r ', sort grep(/\.gz$/, readdir(DIR))"
> I am, in general, not trying to verify firewall function. I refuse to
> dignify what we have with the name firewall -- doing so gives
> people a
> false sense of security. We currently use Drawbridge (from TAMU) and
> block incoming protocols with known problems ( X, r*, netbios,
> portmapper etc) for most of our users. Its main function is to
> inforce our charging policies and stop machines that we don't have
> charging info for from reaching the Internet. We also have the
> standard anti spoofing and anti smurf filters on our routers.
> We are looking at getting FW1 but it is a lot of money --
> between 2 and
> 4 times my annual salary -- including HW and AV software. (which
> probably says more about my salary than the cost of FW1). My gut
> feeling is that it would be much better spent on education for users
> and training for computer support people. We need that
> anyway whether
> or not we have a fancy firewall.
> I am using argus for two main purposes. Firstly to detect scans and
> other network mapping activity and also more subtle attacks against
> publicly visible servers; and secondly to analyse traffic after an
> incident. In some cases I have gone through 3 months logs looking at
> traffic to/from a compromised machine.
> One thing I am convinced of is that we should cut down the 100+ web
> servers (every department just *has* to have their own separate web
> server) and make sure that web servers only offer http(s)
> services (and
> possibly ftp) off campus. Such machines should not generate any
> traffic of their own -- i.e. no users. That would make detecting
> attacks against such machines much easier.
> I would also love to block telnet and ftp but until there is a secure
> replacement for the latter it is a lost cause. SANs is coordinating
> some work in this area but since it is being done in the US
> it will not
> help us.
> Cheers, Russell.
More information about the argus