Re: Automated IDS response

["Andy" <Talisker () technologist com>]

Hi Pat

Blocking using an IDS definitely has its flaws, a hacker could exploit this
as Michael Rash stated, spoofing the address of your customers/partners in
the hope that they will be cut off by your IDS.  I have had another look at
SessionWall 3 and whilst its not the best IDS on the market it does have
some interesting features that may be of use to you.

Firstly it can block traffic on the fly, ie traffic fitting an attack
signature will have their packets reset (I suggest only for those packets
where there is no risk of false positives).  I cant describe this further as
I've signed an NDA.

Secondly it can reconfigure the Cisco router or Firewall-1 to shun the
hostile site.  Whilst this is not ordinarily recommended for the reasons
above, SessionWall can have a rule that will only take this action between
say 1800 - 0800 notifying you by pager that it has done so.  This should
allow you to get some of that quality time with your family and wait till
the following morning before investigating.

You can define friendly sites that will be excluded from this rule,
overcoming some of the problems with spoofing.

Oh its also a net nanny and an E-mail content scanner (though it has no
parser for x.400).

Any other solutions out there ??