IDS on y2k ... good luck 2Uall =]

[FMartins () pt imshealth com (Martins, Fernando (Lisbon))]

Hi2all

For the 'lucky guys' (arghhh) like me that starting today sleeping is just a dream, in bored hours take a look at 
http://www.sans.org/y2k.htm where some interesting information (also) about IDS is being posted.

'Sun Tzu said: We come now to the question of encamping the army, and observing signs of the enemy. Pass quickly over 
mountains, and keep in the neighborhood of valleys.'

Kind Regards
Fernando Martins
fmartins () pt imshealth com
http://www.imshealth.com

(from http://www.sans.org/y2k/firewall.htm)
Global Incident Analysis Center - Special Notice - © 1999 - 2000 SANS Institute
        SonicWall Firewall  
We have had a really large number of detects by SonicWall, so I asked someone to write up what it was and how they 
liked it. Scott Jarriel provides the following: 
Here are my thoughts on the SonicWall firewall products, having used them now for almost a year and having gone through 
2 major firmware upgrades.  
The SonicWall firewall appliance is a relatively inexpensive, hardware-based firewall device (the base model which 
'protects' up to 10 IP addresses will cost $408 via e-mail order). It is different from most 'conventional' firewalls, 
in that it does not perform 'routing' (unless you turn on the NAT features). It is actually more of a 'switch' type of 
device, which uses a form of stateful packet inspection and a rules engine to determine whether to forward packets from 
one port (a LAN port) to the other port (a WAN port). The device does not require additional network address space, but 
rather uses a single IP address within the current address space that exists on the LAN side of your router. This IP 
address provides the interface to an embedded, web based management console. This management interface can only be 
accessed from connections that come through the LAN port (so even if the IP address is determined by the black-hats, 
they cannot manage the device unless they have access to your LAN network). The 'rules' are very simple to 
create/administer through the web interface. The device has predefined 'services' for about a dozen of the most 
commonly used IP protocols (both TCP and UDP), specified by both port number and transport type. In addition, you can 
create your own 'custom' services, by simply providing a name, port number and transport type (TCP, UDP or ICMP). Once 
a 'service' is defined, you create rules by 'Allowing' or 'Denying' a specific service from a given IP address (or 
range of addresses, with wild cards for all addresses) to a given IP address (or addresses). The logic within the web 
interface will put the rules in the correct hierarchy (most specific to most general), so there is little chance of 
creating rules that do not perform as you expect them to. The device provides NAT and DHCP services, can proxy http 
traffic, and supports NTP (with firmware rev. 4.x and beyond) for time synchronization. There is logging of pretty much 
any network activity that violates the rules, and these logs can be e-mailed to a given address based upon one of 
several circumstances (time of day, log full, etc.). The device will also send alerts to a given e-mail address if it 
'detects' a circumstance that it is firmware programmed to block (denial of service attacks of several types, port 
scans, etc.). All of this logging can also be reported to a local syslog daemon if desired.  
There are other features that I'm sure I'm overlooking in this description, but the single most appealing aspect of the 
device is its simplicity of setup and maintanance. By default, it comes with rules of 'allow' all outbound traffic, and 
'deny' all in-bound traffic (that is not a direct response of outbound traffic). It blocks IP source-spoofed traffic 
coming from the WAN port in as well. With the setup 'wizard' (a Java applet the runs the first time you access the 
management interface), a novice can install this device with little or no understanding of IP networking. All that is 
needed is a single valid IP address (which could be DHCP supplied from an ISP, or part of an assigned address space 
that is currently being used) and answering a handful of questions (which are in plain english terms). I can't 
recommend this device strongly enough for anyone who is considering a DSL or cable modem connection to the internet. 
The embedded OS does not lend itself to exploitation (beyond denial of service attacks that it may not have been tested 
against) or remote logins (except through the web management interface via the LAN port only). The device has been 
tested and 'certified' by the ICSA group. My view is that this device is to internet computing, as condoms are to 'safe 
sex'. 
> Froma consultants point of view, if someone were to come to me with a request to put a firewall in place in the next 8 
> hours, I would simply drop one of these devices onto their existing network, between their internet router and the 
> rest of the network. I'd also put a sniffer in place to monitor network traffic for about 24 hours and see what shows 
> up on the sniffer traces and the log files (with the default rules in place). Even if I wasn't planning to use this as 
> the long term solution for a firewall, it would provide a VERY effective short term solution with minimal invasiveness 
> to the existing network topology, while a more thorough analysis could be rendered. I can't say that about any other 
> firewall appliance or software solution that I've seen to date. 
Oh, about performance. The basic device family comes with 10Mb ethernet ports for LAN, WAN (and DMZ on the one 
particular model), and the firewall performance appears to be pretty close to line speed. For those who need 100Mb 
throughput, there is a Pro model that provides Fast Ethernet ports for LAN, WAN and DMZ. The Pro model also comes with 
built-in support for VPN's, using IPsec. This is an option on the base models, but is not recommended if there is a 
need for significant throughput (probably anything beyond ISDN type speeds is my guess). If I were planning to use a 
10Mb/sec interface at near full bandwidth and wanted to do VPN with the device, I would choose the Pro model. This is 
still not a bad choice, as the Pro model can be purchased for about $2500 by e-mail order.