[nsp-sec] creative lying

Smith, Donald Donald.Smith at qwest.com
Thu Sep 4 10:55:13 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Sean Donelan
> Sent: Wednesday, September 03, 2008 5:42 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] creative lying
> 
> ----------- nsp-security Confidential --------
> 
> On Tue, 2 Sep 2008, Smith, Donald wrote:
> > No problem at all except who owns/manages the CPE (customer provided
> > equipment) and what is their payout for doing this?
> >
> > I agree its a good idea how do we get our customers to perform that
> > filtering?
> > In many cases the guy setting up an enterprises router has 
> never heard
> > of cymru or seen cisco's security blue prints or read a 
> juniper manual
> > about security. They simply want to router to work and once 
> it begins
> > working they leave it alone.
> 
> The power of "default."

Agreed at least most CPEs should ship with strict mode URPF enabled by
default and documentation that explains how to change it if needed.

I don't really care if it is strict mode URPF or an acl that says only
forward traffic that originated from the set of "inside" IP addresses
drop and log all others.
The log could be seen by enterprises as an additional layer to detect
rouge/compromised systems within their enterprise. Anything sending
traffic out your egress router with ips that don't belong in your net
have some kind of issue that should be addressed;)

Cisco recommends/implements this in their autosecure "script".

From
http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ftatosec.html#wp1
067180

"Securing Forwarding plane services..
Enabling CEF (it might have more memory requirements on some low end
platforms)
Enabling unicast rpf on all interfaces connected to internet
Configure CBAC Firewall feature? [yes/no]:yes
This is the configuration generated:
no service finger
<SNIP>
interface FastEthernet0/0
 ip verify unicast reverse-path <<<!!!!!<<<<<<
<SNIP>"

> 
> If CPE router software defaulted to only forwarding packets 
> with source
> address validation, most of those people installing them will never
> change it (along with the hundreds of other potential things 
> they could 
> change, but never do).
> 
> Only those few people where it actually breaks something will 
> change it.
> 
> Smurf attacks mostly went away after vendors changed their 
> defaults, and 
> hardware replacement cycles took place.
> 
> Open mail relays mostly went after vendors change their defaults, and 
> software replacement cycles took place.
> 
> Heck, even netbios worm of the month is going away after the 
> vendor change 
> its defaults and the software replacement cycle is happening.
> 
> Education failed, shunning failed, calling customers failed.
> 
> Defaults seem to work.
> 
> 
> Cisco, Juniper, Linksys, D-link, Netgear?  Comments?
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list