Bwain hertz!!

Very few brain cells left. Must blog….

(Just finished the second test for GIAC GSEC certification!)

The first test went quicker than the second because I used the “open book” clause for the second. Overconfidence in the first test caused me to get a lower grade than the second one.

Recommendations? Study your ass off! (right up until a day or two before you take the tests) If you don’t have hardcopy, generate it and devote a binder to each section. Flag valuable tables/diagrams/info with stickies! Don’t wait to the last minute to take the tests (like me).

MRTG/SNMP on IIS

I’m a firm believer of using the proper tool for the job. Unfortunately, the marketing department at a huge software vendor likes to talk about its products as being the end-all-be-all for every job.

What am I talking about? IIS.

In most cases, using IIS is like using a 747 to drive to the corner store. In most cases, a comfortable pair of sneakers will suffice.

The newer versions of IIS come with so many features that, contrary to claims, that virus writers and hackers will have plenty to do for the coming decade. (Remember, the more complex a program is, the more bugs/vulnerabilities it contains.)

If you have to use IIS, there are additional measures you should take to protect the system:

  • restrict outside access to just the web port
  • if possible, stick a caching proxy in front of it
  • if possible, that reverse proxy should reside on a non-MS operating system
  • locate the proxy/IIS systems outside of your internal network (in a DMZ)
  • if possible, stick an IDS sensor in there
  • and, wherever possible, gather metrics.

I want to stress the point about metrics. For any publicly exposed system, you’ve got to have a good idea of what normal traffic looks like so that you can recognize what abnormal traffic looks like.

A good tool for this is MRTG. Allow it to gather data from your router and you’ll get a good day-to-day view of traffic. With IIS v6.0, you can even gather metrics from your web server. Here’s an article at SecurityFocus which discuss how to do just that.

Getting a cable modem?

Getting (or have) a cable modem? Welcome to the great new world of “you’re a target”, especially if you plan on leaving your computer on 24/7. If you do this, you become a hacker’s prime target.

It’s not the data on your computer they want, it’s the processing cycles and bandwidth. If you don’t protect it, you’re machine will be used for:

  • a porn server
  • an open relay for spamming the planet
  • a warez server
  • a jump point for attacks on other systems
  • a hidden IRC server
  • or worse.

InfoPros Joint has a decent article which discusses the minimum of what you should do to protect your system.