The OPSEC part of checkpoint offers a SAMP (Suspicious Activity
Monitoring Protocol) that allows you to do this sort of thing. I'd
be very interested in seeing if anyone has done any analysis of the
protocol regarding replay attacks. There is fun to be had not only in
denial of service, but also if there is a 'open up this IP now'
message.
http://www.checkpoint.com/opsec/architect.htm
Adam
Bill Stout wrote:
| Thinking more about the topic... It would be nice to dynamically control
| rules on a TIS/V-One firewall from a NFR IDS system. I don't know what you
| can wisely respond to, since it would make an attractive Denial of Service
| target.
|
| If you could do this without being a DOS target, it would also be nice if
| there were a standard 'API' to the IDS system, which firewall-specific 'IDS
| response' programs could link to. Sorta like the CVP spec.
|
| Bill Stout
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Received on Oct 13 1997
Intro
