Firewall Wizards mailing list archives
RE: Intrusion Prevention Firewall
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 17 Apr 2002 14:31:51 -0400 (EDT)
On Tue, 16 Apr 2002, Dave Piscitello wrote:
"library" was probably an imprudent choice of words. From your response, you're concluding that this is an extensive database of signatures. It's closer to "a set of attacks we've written code to detect and block", so how about "list"? You can tell the WGRD FB to temporarily block SYN floods, port and IP address probes, spoofing attacks, packets with IP options. You can also tell it to automatically (and temporarily) block a site that attempts to use any denied service. The RapidStream has a "Hacker Prevention" feature. You can set DOS prevention thresholds for ICMP/UDP/SYN flood, POD, and IP source route; it also has a DDOS prevention mechanism that enforces quote per client/server on connections/second. SonicWall blocks Ping of Death, SYN Flood, LAND Attack, IP Spoofing and others (I don't have the box powered up at the moment). RE: administration... I use conservative settings on the DOS attack prevention features. Could someone conceivably DOS one of these firewalls by fingerprinting it, then spoofing my partners, et. al., and play network cat and mouse with me? Probably true for many more firewalls than I list.
Ping of Death, LAND Attack, those are old attacks and patches have been released, unless support staff are still installing unpatched earlier win boxes, they really should not be a problem now, though, I guess some like to be overly aggressive with the kiddies and lblock them when they do try such ugly little packets. but, how does one really detect IP spoofing? I mean, sure you can spot that certain addresses that should not be publically routeed should not be accepted, and sure, one can see and block their own address space from coning in the outside interface, but, other then this, how does one spot that packets coming in are not from the site that is actually sending them? Thanks, Ron DuFresne
At 10:04 AM 4/16/2002 -0400, R DuFresne wrote:On Mon, 15 Apr 2002, Dave Piscitello wrote:But this isn't something *new*. Several firewalls do exactly this My WGRD Firebox temporarily blocks hosts according to a DOS and attack signature library, and my Rapidstream can detect basic DOS attacks and tries to mitigate the effects by discarding traffic. I'm pretty certain if I turn on my SonicWall, it has some feature like this.doesn't this "attack signature library" put the firewall into the DIS/virus scanner category though? Meaning this library has to be maintained and updated regularly to be most effective, and the rules it plays upon has to be regularly maintained to make sure it's not over-reacting to signatures it detects from address space you need to reach out and deal with, like corporate partners, vendor sites and what not? This can be an administrative nightmare and requiring lots of documentation in case you're not there when updates and changes are required can't it?David M. Piscitello Core Competence, Inc. & The Internet Security Conference 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com www.corecom.com www.tisc2002.com hhi.corecom.com/~yodave/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
- RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
- Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)