RE: Cisco PIX firwalls..

[Austin Gonyou <austin () coremetrics com>]

On Mon, 2002-04-15 at 15:40, Erek Adams wrote:
...
> My issues with the whole 'automated' idea are based on two things:
>
>       Personal pain
>       Corporate Politics

I don't disagree with you but...
> Trust me when I say that one poorly written rule in an IDS that triggers an
> 'autoblock' on a firewall and/or router can ruin your whole day/night/week.
> :-/  IMHO, you should have an IDS do what an IDS is supposed to do--Detect and
> Alert.  It's up to you to examine the alert and make the determination _if_
> this was valid traffic or if it is _not_ valid traffic.

Something which is spoofed to the firewall, to be verified if it was
spoofed, a rarp would be needed on the MAC, and then a comparison of
source IP v. RARP. Once that happens, then you can block at the MAC
level. Not just the IP. Putting that logic in there is the part I'm
worried about. It helps those poorly written "good intentions" rules to
be more useful, if not make good on their intent. 


> But again....  This line of conversation is borderline 'Holy War Material',
> and I don't want to start one up--I sure don't want the penalty drinks! ;-)
>
> > Just a thought...
>
> And an excellent one!  :)
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin () coremetrics com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb

Attachment: signature.asc
Description: This is a digitally signed message part