PHWinfo - Afficher un message

08/10/2006, 01h54

comp@toddh.net (Todd H.) writes:

> Randy Yates <yates@ieee.org> writes:
>
>> Folks,
>>
>> Forgive the OT nature, but I'm dying to bounce this off of some
>> reputable and knowledgable people in security, and I think this
>> group is rich in such members.
>>
>> The problem of being owned, hacked, kiddied, yada-yada-yada is
>> so common nowadays I was thinking of ways to at least detect
>> such situations and came up with this.
>>
>> Create a separate physical device that monitors the TCPIP traffic that
>> provides a physical display of suspected security problems. This
>> device would not communicate over the network - its configuration and
>> monitoring would be done physically - so it couldn't be hacked.
>>
>> So, e.g., the device could be hooked on your outgoing cable modem
>> connection, hanging in your upstairs room by the cable. It could
>> sound an audible alarm and have a display of suspicious traffic.
>> It could even have a configurable mode that automatically blocked
>> such traffic.
>>
>> What do you think? Are there such devices already out there?
>
> Sorta. They're called IDS or IPS boxes. Intrusion
> detection/prevention. Snort is the free IDS that's wildly popular and
> scary good. This is considered NIDS, or network based IDS. There
> are also HIDS or host-based IDS systems that live on end point
> machines. They provide complimentary protection. The device you've
> invented is a passive NIDS devices.
>
> http://www.sans.org/resources/idfaq/
>
>
> This is pretty cool--a snort virtual appliance available free from
> vmware for vmware player:
> http://www.vmware.com/vmtn/appliances/directory/185
>
>
> --
> Todd H.
> http://www.toddh.net/

Todd et al.,

Here's another idea for bolstering security. From my infantile
understanding of root kits, they "infect" either the tools
used to detect security problems (ps, lsof, etc.) or the
operating system kernel itself, or both.

If the key components of at least the kernel could be burned
into read-only memory, then there would always be some basic
kernel-level utilities that could be guaranteed to never get
owned.

Of course the kernel memory wouldn't really have to be
read-only - updating of the memory, such as when installing
an OS, could be controlled physically.

I'm just tired of these assholes gunning for my machine,
and frankly I think I'm smarter than they are. After all,
I have PHYSICAL access to the machine - they don't!
--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <yates@ieee.org> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

08/10/2006, 01h54	#1
Randy Yates Messages: n/a Hébergeur:	Re: OT: security device comp@toddh.net (Todd H.) writes: > Randy Yates <yates@ieee.org> writes: > >> Folks, >> >> Forgive the OT nature, but I'm dying to bounce this off of some >> reputable and knowledgable people in security, and I think this >> group is rich in such members. >> >> The problem of being owned, hacked, kiddied, yada-yada-yada is >> so common nowadays I was thinking of ways to at least detect >> such situations and came up with this. >> >> Create a separate physical device that monitors the TCPIP traffic that >> provides a physical display of suspected security problems. This >> device would not communicate over the network - its configuration and >> monitoring would be done physically - so it couldn't be hacked. >> >> So, e.g., the device could be hooked on your outgoing cable modem >> connection, hanging in your upstairs room by the cable. It could >> sound an audible alarm and have a display of suspicious traffic. >> It could even have a configurable mode that automatically blocked >> such traffic. >> >> What do you think? Are there such devices already out there? > > Sorta. They're called IDS or IPS boxes. Intrusion > detection/prevention. Snort is the free IDS that's wildly popular and > scary good. This is considered NIDS, or network based IDS. There > are also HIDS or host-based IDS systems that live on end point > machines. They provide complimentary protection. The device you've > invented is a passive NIDS devices. > > http://www.sans.org/resources/idfaq/ > > > This is pretty cool--a snort virtual appliance available free from > vmware for vmware player: > http://www.vmware.com/vmtn/appliances/directory/185 > > > -- > Todd H. > http://www.toddh.net/ Todd et al., Here's another idea for bolstering security. From my infantile understanding of root kits, they "infect" either the tools used to detect security problems (ps, lsof, etc.) or the operating system kernel itself, or both. If the key components of at least the kernel could be burned into read-only memory, then there would always be some basic kernel-level utilities that could be guaranteed to never get owned. Of course the kernel memory wouldn't really have to be read-only - updating of the memory, such as when installing an OS, could be controlled physically. I'm just tired of these assholes gunning for my machine, and frankly I think I'm smarter than they are. After all, I have PHYSICAL access to the machine - they don't! -- % Randy Yates % "Midnight, on the water... %% Fuquay-Varina, NC % I saw... the ocean's daughter." %%% 919-577-9882 % 'Can't Get It Out Of My Head' %%%% <yates@ieee.org> % El Dorado, Electric Light Orchestra http://home.earthlink.net/~yatescr