Firewall Wizards: Re: A fun smackdown...

[Chuck Swiger <chuck () codefab com>]

On May 19, 2005, at 6:40 PM, Paul D. Robertson wrote:
> > A firewall with allow-all is simply a router.
> You'd be surprised at the number of "Yes we have a firewall!"'s I've 
> seen
> with an allow all...
Look on the bright side, they have a lot of unused capability where 
they could improve their security, if only someone showed them how to 
use it.
Sounds like a happy consulting opportunity.  :-)

> > I suspect that using greylisting, honeytraps, teergrubes, and similiar
> > techniques can do a lot to help slow down the spread rates of malware
> > and spam.  That's one way of making an "allow all" rule less risky 
> > than
> > the "deny all" rule might be.  Of course, you have to make sure your
> > honeytrap software is up to the task, which is not as easy as it might
> > seem.
> I still don't see that as less risky.
Is it easier to defend against a known attack then against an unknown 
one?
> > Has anyone else tried setting up several honeytraps across their
> > address space?  Have you noticed a difference in connection rates
> > between IP addresses at the far ends of your IP range, compared with
> > honeytrap IP's in the middle?
> I haven't, but I know a lot of worms generate addresses to try to 
> infect
> with non-random algorithms.  Most people I know who do that sort of 
> thing
> tend to grab the first bit of traffic, talking enough of whatever 
> protocol
> it is to characterize it and tally it up.  I'd bet the breakdown by
> protocol and malcode instance would be interesting, but it's a heck of 
> a
> lot of work to keep it updated.
Computers are good at logging and keeping track of the statistics.  The 
problem is understanding what all of the noise means and presenting it 
to the user in a fashion which helps them make decisions.
--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards