Firewall Wizards mailing list archives
Re: Automated IDS response
From: Lance Spitzner <lance () ksni net>
Date: Tue, 15 Feb 2000 00:16:40 -0600 (CST)
On Sun, 13 Feb 2000, Andy wrote:
Blocking using an IDS definitely has its flaws, a hacker could exploit this as Michael Rash stated, spoofing the address of your customers/partners in the hope that they will be cut off by your IDS. I have had another look at SessionWall 3 and whilst its not the best IDS on the market it does have some interesting features that may be of use to you.
Any other solutions out there ??
I've developed some stuff for FW-1, however I prefer automated alerts, not responses. DoS attacks are a concern with automated responses. I even managed to DoS myself with a misconfiugered firewall. I have had the best success with being alerted to an Intrusion, then allowing myself to make a decision based on it. Most of your scans are only attempts to gather information. As long as these attempts are blocked, you most likely do not need an automated response. Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)