Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion Prevention Firewall

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 12 Apr 2002 13:58:05 -0400 (EDT)
On Fri, 12 Apr 2002, Berny Stapleton (Sydney Technology) wrote:


I agree with this point.

I think some attack signatures should be trusted, blatently obvious ones
like TCP/UDP scans from the same host. I think a half hour ban on this
type of traffic, by adding a drop rule, and then deleting it half an
hour later.

I think this would prevent some of the script kiddie attacks that I
think we all see much too often.


but, what if I, the script kiddie, spoof the attack with the IP's of some
of your corporate partners?  Or if I spoof them from sites your users need
access to?  This is one of the reasons that auto detection blocking might
fail.


I think it was the crux of what Cowan and Gary meant.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: