Several people have commented on the dangers, but I have seen few
solutions. One sunch is the simple assignment of dummy addresses
that are alarmed. The vulnerability of an automated probe system such as
SATAN, PingWare (tm - really ?), and Internet Caller-Id as used
by the USAF, or my stuff even is a reliance on a clueless target.
You may recall that my amazement was only partly that the USAF was able
to get permission to backtrace intruders, Scott and Jack can really
accomplish a lot, but was also that *none* of the relay machines
noticed that anything was happening.
All it takes is a few strategically positioned 286s (or even 8088s) with
8-bit 3C503 cards. No hard disk, monitor, or keyboard needed. Randomly
place them on the net, give them an unused address on each subnet, assign
a likely sounding name on the DNS and set them to alarm if anything tries
to open any socket.
The same mechanism has proven very effective against war dialers - a few
unused numbers hooked to CNID recorders. ANY access is obviously rong 8*).
Of course when investigating, I send a uniformed guard with sidearm around
to ask the questions (one of the advantages of being in the security
department) I hear all kinds of excuses but rarely have to visit the same
node more than once. Always delay 12 hours so the "experimenter" is not quite
sure what triggered the visit.
Network probes are just a similar extension of this philosophy and has two
purposes: 1) identify probes. 2) identify how the probe occured. Until you
have (1) you can't have (2).
The key is that the intruder has no way of knowing where the traps are until
one is triggered. Kinda like playing Minefield except you do not know how many
I have or what they are next to. Purely amazing what you can do with an
"obsolete" PC 8*).
Warmly,
Padgett
ps now can we discuss the relative merits of the Allison vs the Merlin in a
Mustang ? Bet I can get more sea level power out of a 1710 than a Merlin 8*).
|
|
