On Wed, Mar 11, 2009 at 10:55:43AM -0400, Brett Charbeneau wrote:
On Wed, 11 Mar 2009, William Allen Simpson wrote:
WAS> While I applaud your taking security seriously, and your active monitoring WAS> of your resources, other folks might be handling huge numbers of Conficker, WAS> Mebroot, and Torpig infections these days. So, they might be rather busy.
Excellent point. And with dwindling staff levels outgoing worm traffic may be super low priority for them. I know every operation is different - I just wanted to check with the group before cranking up my level of indignation. =8^)
WAS> Are your library systems all clean?
I believe them to be. I have a Snort-based network intrusion detection system (using sguil) running with eight taps - and we subscribe to the Snort VRT rules. That's on top of host-based intrusion (OSSEC) on all of our servers and critical workstations. And centrallly-manged anti-virus (Kaspersky) on all desktops.
WAS> You don't seem to have your own ARIN allocation for wrl.org, so it's kinda WAS> hard to tell from here.... WAS> WAS> AS | IP | AS Name WAS> 4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.
Yes - while we handle our own DNS our ISP prefers to mask our ARIN entry for (their) ease of management. I try to be the anti-salmon with this and go WITH the flow...
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here. Marcus