Kevin -
kevin bailey wrote:
1. before attaching server to network install and configure tripwire.
and could possibly put key executables on to CD-ROM and leave them in the
server.
In todays same day exploits, using something like tripwire for H.I.D.S.
may not prove useful... By the time tripwire runs a check it may already
be too late, or the check may not return anything as the intruder could
have cleaned up their mess by then or altered tripwire itself. You may
want to consider something such as SAMHAIN that performs real-time
monitoring and will notify you immediately, as opposed to tripwire that
will notify only 1X/day (or however often you run it).
Also consider an intrusion response plan - if Tripewire, or samhain,
alert you - what are you going to do? For example, we have decided that
upon an alert the entire network will be pretty much locked down,
disconnected from the WAN, or, at least, the compromised server is taken
off-line until the postmortem analysis is complete and the security
issue resolved (of course thats the 'nut shell' procedure, the real one
is pages upon pages). The faster you respond to the alert, the less
potential for malicious damage.
Matt
begin:vcard
fn:Matt Resong
n:Resong;Matt
org:DPD;IT / Graphics
adr:;;5555 W 78th Street;Edina;MN;55439;USA
email;internet:[EMAIL PROTECTED]
title:System Admin
tel;work:952-946-1196
tel;fax:952-826-7993
tel;pager:612-510-2893
url:http://www.dpd-info.com
version:2.1
end:vcard
