From: Andrew Simmons (asimmons@messagelabs.com)
Date: Sun Jan 15 2006 - 13:53:42 EST
Hi,
offset wrote:
> Greetings,
>
> Looking for information on network mapping relative performance and accuracy between different
> opensource OS distributions (ie. linux based (fedora, redhat), bsd based (openbsd, freebsd)).
>
I've tried several of the dedicated security liveCD Linux distributions
but haven't found a sweet spot yet. I tend to use a generic desktop
Linux distro I'm comfortable with for general use, and add the tools I
need as I go. (Obviously the basics get added during initial setup, eg
tcpdump, ethereal, nmap etc.) Go with whatever you find best for
general use, and work from that, adding or building whatever tools you
need.
> I like OpenBSD's security paranoia (dont want the scanner being compromised), but I also
> understand that linux can be hardened as well,
In the ideal world, of course, your desktop Linux, BSD (or Windows)
machine should be hardened well enough that you wouldn't need to take
any special precautions... (you turn on the windows firewall, check
inetd.conf and netstat, turn off network services, remove stuff you
don't need, blah blah... on your desktop machine anyway, right? :)
Anyway, why would a pentest client be attacking back? Unless they're
comprehensively owned, of course, or have perhaps have vigilantes for
admins...
> so my second concern is the
> underlying OS skewing the results of a network scan and the ability for the OS to
> stay out of the way of the scan results.
>
I don't think there's a great deal of difference between what a FreeBSD
vs Debian GNU/Linux vs Ubuntu vs OpenBSD will report seeing on the wire,
if you're doing passive discovery. Different network stack
implementations *will* behave differently when interacting with other
machines, using different TTL values or payload padding and whatnot.
However AFAIK tools such as Nmap will send the same packets at targets
whatever host OS it's running on, and interpret the results using the
same lookup tables and algorithms when fingerprinting an OS. Likewise,
tcpdump or Ethereal or whatever will see and report received ethernet
frames, and their options, payload etc, whatever the host OS.
I guess performance might differ between kernels under extreme
performance demands, but if you're dropping so much traffic you're
missing hosts when mapping, you need better hardware, not a different OS :)
cheers,
Andrew
-- Andrew Simmons MessageLabs Security Team MessageLabs - Be certain ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT