Firewall Wizards mailing list archives

Re: Intrusion Prevention Firewall

From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 05 Apr 2002 12:05:14 -0500

"Pieper, Rodney" wrote:


Except, imagine the following -- Wily hacker notices that whenever he does
'A' the firewall makes a change 'B'. After tiring of trying to get inside,
or maybe all he wants to do, he uses the previous information to effectively
DOS your network by continually doing 'A' in a modified fashion.
Not just flakey access control policy but a new DOS to fight.


First, I wouldn't want the IDP to implement access control by
making dynamic address/port based access control changes on 
a firewall.

That architecture certainly leaves one open to all sorts of denial
of service scenarios using spoofed packets or simple overload
caused by too many dynamic changes.

I want the IDP to simply drop the offending packet(s). :)

but is the goal to reduce the manpower
requirement for an Intelligent Human analyst?


No. Its to create an effective intrusion prevention system instead of
an alarm system that does nothing to stop attacks.

On a large network, I know I'm being attacked. I don't need bells,
lights, email, and a fancy GUI to tell me. I want it stopped and
without having to block entire service catagories ala a firewall. 

In other words, I don't want to block all truck traffic. I want 
them searched and if they're carrying something malicious, have 
them blocked at the border. Like a proxy firewall but with more 
ID/P specialization.

This accomplishes three things:

1) Stops some attacks from being successful.
2) Allows the staff and IDS equipment to concentrate on the
   more sophisticated and probably more serious attacks which
   get through.
3) Keeps me from having to give in to the bad guys and block entire
   services because they're frequently attacked, defective, and/or 
   mismanaged.

I know its not possible to accurately identify all the packets
carrying malicious traffic. I know there are practical limits
on what can be examined in real-time inline with a production
network. But I would think it would be possible to identify a 
fair number of them. Am I wrong? Naive?

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Intrusion Prevention Firewall, (continued)
- - - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 03)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 04)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
    - Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 05)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 06)
  - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 08)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 06)
- Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 16)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)
    - Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 18)