-1

To what extent can you filter/firewall for suspicious traffic or lock down a system? If you have everything up to date and secure, what can you do to protect against a 0 day? I assume an IDS might help for example by recognizing packets trying to spawn a shell as an anomaly and blocking them.

So would that be good enough, or could the IDS be bypassed? If so, how? Encapsulation?

What about the system itself? Utilities like tripwire can help you know what has been modified, but that can't stop defacement of websites or acquisition of files, AFAIK? If someone get's root, could utilities like Tripwire not be disabled? (I know that it should be output to another server, but assuming it is not or assuming that is compromised as well)

What other precautions can you take in a worst case scenario?

Some specific questions as I learn and wonder about these various technologies. Thankyou in advance for your answers.

Sonny Ordell
  • 145
  • 3
  • 7

3 Answers3

2

A completely secure system is a system that has zero contact with its attackers. Life gets complicated when there is contact with the attackers, or the attackers are unknown.

I gave this topic a pretty good treatment a while ago on the post titled, How do you search for backdoors from the previous IT person? which is the 'worst case scenario' you're talking about. A trusted insider demonstrates they're not worthy of the trust placed on them (i.e. a SysAdmin leaves on bad terms and just might be ethically challenged). That big bulleted list shows all the areas that network defenses have to take in to account.

Is there perfect security? Yes, it's that completely isolated system I opened up with. But you can't create a Facebook with a completely isolated system. Is it possible to have perfect security and still have a connected system? In theory, yes. In practice, no way.

In order to get to a perfectly secured, connected system, you must have:

  • All possible inputs mapped.
  • Processing logic is verified to handle all possible inputs, including error cases, safely.
  • Every logic path is verified to run cleanly without unhandled fault.
  • Unhandled exceptions, some unmapped inputs may need to be introduced to cause them, are verified to fail safely.

This is not going to happen anywhere but in the laboratory of the mind, or some tinker's "build an entire computer from scratch" test-case.

You can get pretty close to perfect, but the cost of being there is pretty high. The closest we get is probably avionics software, which has a pretty limited and exceedingly well known input base.

For modern computer and network security, the problem is very complex and very diverse. Precise strategies vary from organization to organization, though there are some commonalities in approach. The dictates of the organization will define whether or not file-level change-tracking is required on systems, or if the patch-log is sufficient; things like that.

If you have an interest in this domain, I recommend our sister site, https://security.stackexchange.com/ which is dedicated to IT security as a whole.

Community
  • 1
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
0

It's impossible to completely secure a system, probably provably. That's why hardening the system (and keeping it hardened) is only half the battle - you also need to closely observe the system in order to detect any breach in security.

IDS can try to block packets that look suspicious, but how can you be sure whether or not a packet is suspicious? attackers constantly come up with new ways to obfuscate their intent, so IDS are only really effective against attacks that have been seen before and some future attacks, someone might certainly come up with a way to interact with another computer without an IDS catching on. This could be a novel method of encapsulation, it could be something really tricky that no one expects. As far as filesystem monitoring, it's a good idea, but it won't do much about read-only access (although a file access auditing system could). But sure, there's going to be a way to disable or bypass such systems, and someone will find it.

Basically, the security field evolves very rapidly, so nothing can be said to be 100% secure. There are bad guys out there right now who have thought of attacks that security researchers haven't, yet, and in the future there will be plenty more.

What you can do is to be vigilant. Implement the best security techniques currently available. Make sure that everything stays upgraded. Read the security news and take action to protect yourself against each new threat that's been discovered. Watch your systems and network like a hawk for any abnormal behavior. You can stop an attacker using an old technique, which is good, because most attackers are using old techniques. You can't stop an attacker using a truly new one, but you can do your best to find out when they get in and cut it off.

jcrawfordor
  • 193
  • 1
  • 7
0

So this sounds like a homework assignment style question. In the real world we all know there is no such thing as a secure system except for one that is turned off with it's network cable unplugged.

This is what Defense is Depth is for. Making something more trouble then it's worth.

A firewall primarily lowers your attack surface. An IDS is signature based so if it doesn't have a signature of an attack it isn't going to flag it. Some host-based IDS have rudimentary heuristics on them which might detect that a process is doing something odd and stop it.

There is some software designed to try to prevent exfiltration but tripwire is not the right tool for the job.

With the right level of access anything can be disabled. The usual response to a rogue admin is separation of duties so one person can't bring down an entire infrastructure. There is also logging. I once read about something on Solaris I think that required 2 admins to enter their passwords for certain highly privileged operations.

Good enough, is a question of Cost-Benefit analysis.

JamesBarnett
  • 1,129
  • 8
  • 12