Page 509 - StudyBook.pdf
P. 509

Infrastructure Security: System Hardening • Chapter 8  493

                    It is obvious that unnecessary protocols should be eliminated. For most that
                 means eliminating Internetwork Packet Exchange (IPX), Sequenced Packet
                 Exchange (SPX), and/or NetBIOS Extended User Interface (NetBEUI). It is also
                 important to look at the specific operational protocols used in a network such as
                 Internet Control Messaging Protocol (ICMP), Internet Group Management
                 Protocol (IGMP), Service Advertising Protocol (SAP), and the Network Basic
                 Input/Output System (NetBIOS) functionality associated with Server Message
                 Block (SMB) transmissions in Windows-based systems.



                 NOTE
                      As you begin to evaluate the need to remove protocols and services,
                      make sure that the items you are removing are within your area of con-
                      trol. Consult with your system administrator on the appropriate action
                      to take, and make sure you have prepared a plan to back out and
                      recover if you make a mistake.




                    While considering removal of non-essential protocols, it is important to look at
                 every area of the network to determine what is actually occurring and running on
                 the system.The appropriate tools are needed to do this, and the Internet contains a
                 wealth of resources for tools and information to analyze and inspect systems.
                    A number of functional (and free) tools can be found at sites such as
                 www.foundstone.com/knowledge/free_tools.html.Among these, tools like
                 SuperScan 3.0 are extremely useful in the evaluation process. If working in a mixed
                 environment with UNIX and Linux machines or Netware machines, a tool such as
                 Big Brother may be downloaded and evaluated (or in some cases used without
                 charge) by visiting www.bb4.com.Another useful tool is Nmap, which is available
                 at http://insecure.org/nmap/.These tools can be used to scan, monitor, and report
                 on multiple platforms, giving a better view of what is present in a environment. In
                 Linux-based systems, non-essential services can be controlled in different ways,
                 depending on the distribution being worked with.This may include editing or
                 making changes to xinetd.conf or inetd.conf, or use of the graphical Linuxconf or
                 ntsysv utilities. It may also include the use of ipchains or iptables in various versions
                 to restrict the options available for connection at a firewall.
                    Windows NT-based platforms allow the configuration of OS and network ser-
                 vices from provided administrative tools.This can include a service applet in a con-
                 trol panel in NT versions, or a Microsoft Management Console (MMC) tool in a



                                                                              www.syngress.com
   504   505   506   507   508   509   510   511   512   513   514