Re: Reactive Firewalls

[Rick Smith <smith () securecomputing com>]

At 9:10 PM -0600 2/9/98, Aleph One wrote:

> Reactive firewalls are one of the worths ideas yet. You are taking
> automated actions based on non-authenticated possible bogus data. That is
> a formular for disaster. Read the recent (release today) Secure Network
> paper on IDS's and their flaws for some reasons why this is so.

When we cross this with Bill Stout's followup message, it's clear there are
several classes of reactive firewalls, depending on various choices:

1) reacting to internal information versus reacting to external information

2) reactions that change the firewall's operating behavior versus reactions
that collect data and send alarms.

Sidewinder is reactive only to the point of trying to collect additional
information and send alerts to the site admin. These decisions are based on
information collected from processes inside Sidewinder, and try to deduce
when an outsider is doing something bad. There could be a false alarm
problem with this, but that's true of any security measure.

Personally, I don't think we understand data security architecture well
enough to be designing systems that adapt their behavior automatically to
detected environmental conditions (i.e. levying additional restrictions on
data traffic when an "attack" is detected, or loosening up when it's
perceived to be "safe"). We can do parlor tricks with it ("AI
demonstrations") but I doubt anyone can build a system that does this with
any degree of confidence. But then "confidence" doesn't seem to be a major
selling point with buyers of security products anyway.


Rick.
smith () securecomputing com                Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores