Firewall Wizards mailing list archives

RE: Intrusion Prevention Firewall

From: Dave Piscitello <dave () corecom com>
Date: Tue, 16 Apr 2002 12:41:05 -0400

"library" was probably an imprudent choice of words.
From your response, you're concluding that this is
an extensive database of signatures. It's closer to
"a set of attacks we've written code to detect and block",
so how about "list"?

You can tell the WGRD FB to temporarily block SYN floods,
port and IP address probes, spoofing attacks, packets with
IP options. You can also tell it to automatically (and temporarily)
block a site that attempts to use any denied service.

The RapidStream has a "Hacker Prevention" feature.
You can set DOS prevention thresholds
for ICMP/UDP/SYN flood, POD, and IP source route;
it also has a DDOS prevention mechanism that enforces
quote per client/server on connections/second.

SonicWall blocks Ping of Death, SYN Flood, LAND Attack, IP Spoofing
and others (I don't have the box powered up at the moment).

RE: administration... I use conservative settings on the DOS
attack prevention features. Could someone conceivably DOS
one of these firewalls by fingerprinting it, then spoofing my
partners, et. al., and play network cat and mouse with me?
Probably true for many more firewalls than I list.


At 10:04 AM 4/16/2002 -0400, R DuFresne wrote:

On Mon, 15 Apr 2002, Dave Piscitello wrote:

> But this isn't something *new*. Several firewalls do exactly this
> My WGRD Firebox temporarily blocks hosts according to a DOS
> and attack signature library, and my Rapidstream
> can detect basic DOS attacks and tries to mitigate the effects by
> discarding traffic. I'm pretty certain if I turn on my SonicWall, it has
> some feature like this.

doesn't this "attack signature library" put the firewall into the
DIS/virus scanner category though?  Meaning this library has to be
maintained and updated regularly to be most effective, and the rules it
plays upon has to be regularly maintained to make sure it's not
over-reacting to signatures it detects from address space you need to
reach out and deal with, like corporate partners, vendor sites and what
not?  This can be an administrative nightmare and requiring lots of
documentation in case you're not there when updates and changes are
required can't it?



David M. Piscitello
Core Competence, Inc. &
The Internet Security Conference
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
www.corecom.com
www.tisc2002.com
hhi.corecom.com/~yodave/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
    - Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
    - RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
    - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 03)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 04)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
    - Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 05)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)

(Thread continues...)