Josh More – Starmind Blog

In case you haven't figured it out, I fall back to blogging about an Aesop fable when I'm stuck for other things.  In this case, I am stuck underneath a cat and all of my mythological references are about half a meter out of reach. Luckily, many of Aesop's fables are available online. Like, for example, this one.

In this story, a sleeping lion is startled awake when a mouse runs across his nose. Looking all around for whatever woke him up, he checks all over his cave and finds nothing. A fox observes this behavior and, knowing that he can outrun a sleepy lion, makes fun of him for being afraid of a mouse. Attempting to safe face, the lion claims not to have been afraid, but more affronted by the bad manners.

As usual, Aesop completely missed the point of his story. Instead of being a droll observation of class structure of ancient Greece, it's obviously a better lesson for dealing with initial network probes. Probes are a fact of life on the Internet. All sorts of attackers on the Internet want to take over your systems. The first step is to send out a small probe and uncover various things about the potential targets. This is part of what firewalls are supposed to prevent.

A lion needs a few things as it sleeps. Air, probably being the most important. However, if it wishes to stay asleep, it helps to have a way to keep the mice out of the lion cave.

As an aside, I personally question how common it was for lions to sleep in caves. Modern lions don't seem to do this... though perhaps that has less to do with lion slumber preferences and more to do with a general lack of caves in subSaharan Africa.

So, if you have a lion that wish to keep vermin-free, it would help to put up some sort of chicken wire fence over the "cave", thereby allowing in air and preventing mice (and rats... it's a twofer!). In much the same way a firewall keeps out known malicious traffic so your servers can crunch their numbers in piece. Admittedly, our firewalls block worms. Worms are smaller and trickier than mice, which is why the firewalls are more complex and expensive than chicken wire.

Running without a firewall would be like trying to coax a lion into sleeping while they are being trampled flat by a veritable cascade of members of the family Muridae.

Related posts

• Mythic Monday – The Aging Lion and the Fox (0)
• Mythic Monday – Aesop: The Dog, The Rooster and the Fox (1)

Another one of Aesop's fables that isn't that well known is that of the aging lion and the fox. You can click the link and read it, but for those of you that are linkaphobic, here's a short version:

A lion was getting old and having trouble hunting. He decided, instead, to pretend to be sick and went back to his cave, moaning all the way. Over time, as each of his neighbors stopped by to check on him, he ate them.

Then, one day a fox came by and asked how the lion was doing. The lion moaned and asked the fox to come closer. The fox then observed that the footprints all led into the cave, and none came out.

Clearly, the fox is the fable animal to be. He's smart. He's observant. He's... umm... red and furry? (Are Greek foxes red? . . .  Yes, after googling a bit, it seems that the red fox is global, and the grey fox is only native to the Americas... which has nothing whatsoever to do with this blog entry.)

No, the point of this blog entry is that of evidence. If the lion had been wise, he would have either wiped the tracks after each meal or (more preposterously) fabricated tracks going back out. The fact that he didn't, is what allowed the fox to escape and presumably tell the other animals what the lion had been up to (and Aesop, since he wrote it down). So, not only was the lion caught, but he lost his lovely little racket and probably starved to death shortly thereafter.

Most attackers are aware of this story (sorta), and do take some effort to reduce evidence. A burglar usually wears gloves, a bank robber usually wears a mask, and a hacker usually clears system logs. So, if we want to make it hard for the lion to wipe away the footprints, we have a few options. The first is to replace the dirt outside his den with fast-setting concrete... which would prove somewhat troublesome if you analyze this ridiculous analogy too far. The second is to set up a camera trap and record everyone who enters the cave. (For those purists who would point out that there were no cameras in ancient Greece, let's just say that Hephaestus is there cranking out a vase for each animal. (Happy now, picky people?))

In the modern world, we actually use both of these techniques. Instead of fast-setting concrete, we have a hard drive technology called WORM, or Write Once Read Many. With this drive, you can store the logs in such a way that they cannot be altered. They are, however, quite expensive and can be difficult to set up properly. Instead, we generally prefer to use the camera/vase trap system. For this, we use one of many remote-logging technologies. The simplest is probably the venerable syslog server.

This solution simply involves setting up a dedicated server and installing one of the many syslog systems on it. Then you do a bit of configuration on each of the other servers you have and basically tell them to go log over there. Whenever there is an event, it goes over the network and is stored off the server. That way, if an attacker gets in, even if they wipe their own traces, there is a backup elsewhere that is (in theory) a lot harder to alter.

Of course, you still have to actually be the fox and look at the logs now and then, but at least you'll be safe from a smart lion.

Related posts

• Mythic Monday – The Lion, the Mouse, and the Fox (0)
• Mythic Monday – Aesop: The Dog, The Rooster and the Fox (1)
• Small Business Defense – Remote Logging and Analysis (0)
• Small Business Attack – Changing Logs (0)
• Mythic Monday – The Linnet and the Bat (0)