RE: Intrusion Prevention Firewall

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 16 Apr 2002, Dave Piscitello wrote:

> "library" was probably an imprudent choice of words.
>  From your response, you're concluding that this is
> an extensive database of signatures. It's closer to
> "a set of attacks we've written code to detect and block",
> so how about "list"?
>
> You can tell the WGRD FB to temporarily block SYN floods,
> port and IP address probes, spoofing attacks, packets with
> IP options. You can also tell it to automatically (and temporarily)
> block a site that attempts to use any denied service.
>
> The RapidStream has a "Hacker Prevention" feature.
> You can set DOS prevention thresholds
> for ICMP/UDP/SYN flood, POD, and IP source route;
> it also has a DDOS prevention mechanism that enforces
> quote per client/server on connections/second.
>
> SonicWall blocks Ping of Death, SYN Flood, LAND Attack, IP Spoofing
> and others (I don't have the box powered up at the moment).
>
> RE: administration... I use conservative settings on the DOS
> attack prevention features. Could someone conceivably DOS
> one of these firewalls by fingerprinting it, then spoofing my
> partners, et. al., and play network cat and mouse with me?
> Probably true for many more firewalls than I list.


Ping of Death, LAND Attack, those are old attacks and patches have been
released, unless support staff are still installing unpatched earlier win
boxes, they really should not be a problem now, though, I guess some like
to be overly aggressive with the kiddies and lblock them when they do try
such ugly little packets.  but, how does one really detect IP spoofing?  I
mean, sure you can spot that certain addresses that should not be
publically routeed should not be accepted, and sure, one can see and block
their own address space from coning in the outside interface, but, other
then this, how does one spot that packets coming in are not from the site
that is actually sending them?


Thanks,

Ron DuFresne

> At 10:04 AM 4/16/2002 -0400, R DuFresne wrote:
> > On Mon, 15 Apr 2002, Dave Piscitello wrote:
> >
> > > But this isn't something *new*. Several firewalls do exactly this
> > > My WGRD Firebox temporarily blocks hosts according to a DOS
> > > and attack signature library, and my Rapidstream
> > > can detect basic DOS attacks and tries to mitigate the effects by
> > > discarding traffic. I'm pretty certain if I turn on my SonicWall, it has
> > > some feature like this.
> >
> >
> > doesn't this "attack signature library" put the firewall into the
> > DIS/virus scanner category though?  Meaning this library has to be
> > maintained and updated regularly to be most effective, and the rules it
> > plays upon has to be regularly maintained to make sure it's not
> > over-reacting to signatures it detects from address space you need to
> > reach out and deal with, like corporate partners, vendor sites and what
> > not?  This can be an administrative nightmare and requiring lots of
> > documentation in case you're not there when updates and changes are
> > required can't it?
>
>
> David M. Piscitello
> Core Competence, Inc. &
> The Internet Security Conference
> 3 Myrtle Bank Lane
> Hilton Head, SC 29926
> dave () corecom com
> www.corecom.com
> www.tisc2002.com
> hhi.corecom.com/~yodave/
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards