from John Ives:
> Your right its not easy, but we do it on a limited
>scale. When certain alerts are triggered in one of our
>IDS systems, the host is scanned on almost every tcp port
>(I believe we skip two which have caused problems for a
>significant number of hosts). This scan is an integral
>part of our incident analysis process. Of course it
>wouldn't be necessary if I had a root/admin login to
>every box on campus, but if a couple holes in firewalls
>has caused this debate I hate to imagine what that would
>generate.
As John explains, there are two circumstances under which
SNS scans campus hosts: 1) looking for vulnerabilities
with targeted signatures, and 2) full scans during
incident analysis.
The big problem I see for campus departments if they
choose to not allow our scanners access to their hosts is
that we wil need to shift more of the burden of the
incident analysis to them. If we cannot see what ports a
host has open it makes it far harder to determine whether
the host has been compromised. When we can't scan a host
we have to send the network traffic off to the security
contact and ask them to investigate - and this data is not
easy to interrupt, requiring much communication back and
forth.
This makes the process much more time consuming for
everyone involved, and time is what is most lacking at all
levels of the University.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri May 13 10:46:56 2005
This archive was generated by hypermail 2.1.8 : Fri May 13 2005 - 10:46:58 PDT