I would like to beg to differ on this subject. First, this is not a security hole. A security hole is something that would allow an intruder to gain access to a system or to gain greater privileges on a system. This is, at best, a weakness in the products ability to detect an intrusion. Second, a CRC is a Cyclic Redundancy Check and not a simple checksum. For the intruder to spoof this, they would have to know what CRC algorithm ESM was using, and then make their coded Trojan Horse fit that algorithm. That is a major undertaking. If someone wants to go to that much work to get you, you have a lot bigger problem than you think. They will be doing a lot of other things to you, not just planting a Trojan Horse. Third, an intruder would have to have root to do this. If they can get root on your boxes, you have a lot bigger problem. ESM does not only look at CRC's to verify if a file is genuine. It also looks at the timestamps; both the m-time and the c-time. m-times are easy to change, c-times are a lot harder and leave a trace. The bottom line is that ESM is a Policy Management tool. You use ESM to insure that hosts comply with the company's security policy. If you want intrusion detection then you should have their ITA tool, too. It can be set up to watch files in real time and alert you if a file ever changes. When you talked to AXENT, I don't think you got to the right people. Douglas G. Conorich IBM Senior Internet Security Analyst P.O. Box 595 Internet Emergency Response Service Clearfield, UT 84015 U.S.A.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:45 PDT