Firewall Wizards mailing list archives

RE: Intrusion Prevention Firewall

From: Dave Piscitello <dave () corecom com>
Date: Mon, 15 Apr 2002 09:43:11 -0400

But this isn't something *new*. Several firewalls do exactly this
My WGRD Firebox temporarily blocks hosts according to a DOS
and attack signature library, and my Rapidstream
can detect basic DOS attacks and tries to mitigate the effects by
discarding traffic. I'm pretty certain if I turn on my SonicWall, it has
some feature like this.

At 12:44 AM 4/12/2002 +1000, Berny Stapleton Sydney Technology wrote:

I agree with this point.

I think some attack signatures should be trusted, blatently obvious ones
like TCP/UDP scans from the same host. I think a half hour ban on this
type of traffic, by adding a drop rule, and then deleting it half an
hour later.

I think this would prevent some of the script kiddie attacks that I
think we all see much too often.

Berny

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Gary Flynn
Sent: Thursday, 4 April 2002 1:33 AM
To: Crispin Cowan
Cc: dont; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Intrusion Prevention Firewall

Crispin Cowan wrote:
>
> But beware: as soon as you hook your IDS to an access control
> mechanism, so that when the IDS detects something it closes off
> access, what you have just done is build a flakey access control
> policy. If you thought the costs of managing IDSs was high, wait until

> you try this :)

If someone were foolish enough to blindly tie one of today's full-blown
IDS systems to an access control device I'd agree with you. But surely
there are some IDS signatures that can trusted to accurately identify
malicious traffic, and only malicious traffic, and therefore be safe to
use to control access. While there may be a much smaller number of these
"reliable" signatures, they may serve to automatically pick off
the low hanging fruit and therefore allow more attention to be paid
elsewhere.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



David M. Piscitello
Core Competence, Inc. &
The Internet Security Conference
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
www.corecom.com
www.tisc2002.com
hhi.corecom.com/~yodave/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
    - Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
    - RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
    - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 03)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 04)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
    - Re: Intrusion Prevention Firewall dont (Apr 06)

(Thread continues...)