-- Fwded from Firewalls, with APP's permission -- From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Mon, 27 Mar 95 21:30:45 -0500 Subject: Response to Satan Several people have commented on the dangers, but I have seen few solutions. One sunch is the simple assignment of dummy addresses that are alarmed. The vulnerability of an automated probe system such as SATAN, PingWare (tm - really ?), and Internet Caller-Id as used by the USAF, or my stuff even is a reliance on a clueless target. You may recall that my amazement was only partly that the USAF was able to get permission to backtrace intruders, Scott and Jack can really accomplish a lot, but was also that *none* of the relay machines noticed that anything was happening. All it takes is a few strategically positioned 286s (or even 8088s) with 8-bit 3C503 cards. No hard disk, monitor, or keyboard needed. Randomly place them on the net, give them an unused address on each subnet, assign a likely sounding name on the DNS and set them to alarm if anything tries to open any socket. The same mechanism has proven very effective against war dialers - a few unused numbers hooked to CNID recorders. ANY access is obviously rong 8*). Of course when investigating, I send a uniformed guard with sidearm around to ask the questions (one of the advantages of being in the security department) I hear all kinds of excuses but rarely have to visit the same node more than once. Always delay 12 hours so the "experimenter" is not quite sure what triggered the visit. Network probes are just a similar extension of this philosophy and has two purposes: 1) identify probes. 2) identify how the probe occured. Until you have (1) you can't have (2). The key is that the intruder has no way of knowing where the traps are until one is triggered. Kinda like playing Minefield except you do not know how many I have or what they are next to. Purely amazing what you can do with an "obsolete" PC 8*). Warmly, Padgett ps now can we discuss the relative merits of the Allison vs the Merlin in a Mustang ? Bet I can get more sea level power out of a 1710 than a Merlin 8*). ------------------------------