Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion Prevention Firewall

From: Mike Shaw <mshaw () wwisp com>
Date: Tue, 16 Apr 2002 15:30:59 -0500
My take on this:
I greatly dislike the concept of dynamic firewall reconfiguration by IDS (for the obvious DOS reasons mentioned here). I've seen more than one pile of IDS equipment sitting unplugged by the datacenter door due to unscheduled downtime.
The only way I could conceivably implement something like this is if it was based on some very intuitive type rules. Not "holy cow! Nimda! Block that IP!" but "why is a file named passwd being downloaded from a server? Let's stop that and raise the alarm"
In other words, it would have to be an obvious hack/crack and not the classic signature-based alarm. It would also have to be completely un-initiate-able from the outside. Such as "raise the alarm if a file transfer of 'passwd' is successfully initiated from the ftp site to the client" not "raise the alarm if the client requests 'passwd' from the ftp site"
This makes sense because you're a) actually stopping something. Reconfiguring the firewall for every 16 year old abusing whisker isn't going to help you unless they're successful. And if they're successful then you're better off spending your time reviewing your policy implementations than tweaking firewalls. Also in this scenario you're b) not vulnerable to DOS attacks by someone. 

-Mike

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: