Firewall Wizards mailing list archives
Re: Intrusion Prevention Firewall
From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 05 Apr 2002 12:05:14 -0500
"Pieper, Rodney" wrote:
Except, imagine the following -- Wily hacker notices that whenever he does 'A' the firewall makes a change 'B'. After tiring of trying to get inside, or maybe all he wants to do, he uses the previous information to effectively DOS your network by continually doing 'A' in a modified fashion. Not just flakey access control policy but a new DOS to fight.
First, I wouldn't want the IDP to implement access control by making dynamic address/port based access control changes on a firewall. That architecture certainly leaves one open to all sorts of denial of service scenarios using spoofed packets or simple overload caused by too many dynamic changes. I want the IDP to simply drop the offending packet(s). :)
but is the goal to reduce the manpower requirement for an Intelligent Human analyst?
No. Its to create an effective intrusion prevention system instead of an alarm system that does nothing to stop attacks. On a large network, I know I'm being attacked. I don't need bells, lights, email, and a fancy GUI to tell me. I want it stopped and without having to block entire service catagories ala a firewall. In other words, I don't want to block all truck traffic. I want them searched and if they're carrying something malicious, have them blocked at the border. Like a proxy firewall but with more ID/P specialization. This accomplishes three things: 1) Stops some attacks from being successful. 2) Allows the staff and IDS equipment to concentrate on the more sophisticated and probably more serious attacks which get through. 3) Keeps me from having to give in to the bad guys and block entire services because they're frequently attacked, defective, and/or mismanaged. I know its not possible to accurately identify all the packets carrying malicious traffic. I know there are practical limits on what can be examined in real-time inline with a production network. But I would think it would be possible to identify a fair number of them. Am I wrong? Naive? -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall, (continued)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
- Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 08)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)
- Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 18)