Re: Intrusion Prevention Firewall

["Patrick M. Hausen" <hausen () punkt de>]

Hi all!

Berny wrote:

> I think some attack signatures should be trusted, blatently obvious ones
> like TCP/UDP scans from the same host. I think a half hour ban on this
> type of traffic, by adding a drop rule, and then deleting it half an
> hour later.
>
> I think this would prevent some of the script kiddie attacks that I
> think we all see much too often.

But you already have a firewall in place, right?
A firewall which is policy enforcement device with respect
to traffic passing from your internal network to the Internet
and vice versa, right?
And the policy is to deny everything which is not explicitly allowed, right?

So the firewall already drops and logs all these packets that random
script kiddie's portscans generate ...

So what's the gain in having an IDS tweak firewall rules?

A properly understood and configured firewall is an "Intrusion Prevention
Device" in the same way an armed guard is. If you needed a supervisor
for the guard telling the guard what to do ... better fire the guard
and let the supervisor do that job.

Of course, there are a lot of firewall installations out there, that
don't work that way. But these are simply guards that do a sloppy
job and should be fired (IMHO).

Regards,
Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards