[LINK] DNS outage?

Glen Turner gdt at gdt.id.au
Fri Jul 31 10:19:02 AEST 2009


On 29/07/09 09:32, Stilgherrian wrote:

> But ICMP can certainly be used to map and profile a network. You can,
> for example, find out what specific version of an operating system
> some box is running by sending a few well-crafted packets. Once you
> know that, you can then better plan your attack. Blocking most of ICMP
> means you close off that possibility for reconnaissance.

Sure, there's an argument for limiting ICMP to the average host.
But limiting it from servers in the DMZ -- servers with names
like www.example.edu.au -- is insane since attackers can find
those hosts anyway with a simple DNS request.

> If you're talking REALLY secure, it's not about stopping just the
> known exploits, but reducing the potential for exploits through
> unknown vulnerabilities. Allow ONLY the packets necessary to provide
> the service and block everything else.
>
> People who do infosec for a living may well shoot holes in what I just
> said. Please, clarify.

That's exactly the infosec argument. Which leads to smooth wall networks,
which means that went it breaks the ISP can't help, which leads to the
extended interruption that the infosec measures were designed to avoid.

A lot of this is the ego of technical staff, not a rational business
decision. The notion that the site is staffed by a bunch of heroes who
don't need no stinkin' help from nobody, and our net, why it's so tight
that not even a ICMP Ping can get into the DMZ.

The other culprits are auditors. They are very uncomfortable with the
risk trade-off approach, since that requires the auditor to understand
the business *and* the technology *and* make a judgement that might be
challenged down the track. They'd much rather be extremely litigation-
adverse and simply demand extreme measures.  A classic here being
password policies -- the auditors lack enough guts to demand multi-factor
authentication, but insist on tightening down the password policy
to the extent that it becomes a significant denial of service risk
in and of itself.

-- 
  Glen Turner  <http://www.gdt.id.au/~gdt/>
  Not my employers' view. It might not even be my view in a saner moment.



More information about the Link mailing list