Re: SANS Top Ten and Commercial Firewalls

[Gary Flynn <flynngn () jmu edu>]

manatworkyes moderator wrote:
> This is a very good question. I'd like to extend that question to other
> security solutions. IDS for examples: How many IDS systems can deal with the
> slapper worm ? How many AV blocks bugbear (Before it was publicly available
> ?)
> Do you (or anyone else) knwo if there is any *network based generic*
> security device that deals with the latest Solaris bug ?

The engines that use anomaly detection can theoretically pick up 
some of this. For instance, by dropping traffic whose high level
protocol fields are oversized, use illegal values, or are otherwise 
malformed.

That, of course, assumes that there are standards for the fields
in question and application writers adhere to them so we don't
get a million false positives. :)

AV software's corresponding method would be heuristics but I
get the impression it hasn't been very effective. I suspect this
is due to the nature of a general purpose computer in a consumer's
hands...too many applications look like viruses and trojans :)

> IMO, the SmartDefense stuff, is more then signature blocking. It looks for
> the roots of the problem. So, if SSLv2 is vulenrable, use only SSLv3.

I'd thought SmartDefense was smarter than that. The approach you described,
to me, would be analogous to "if IIS 4 is vulnerable, allow access only
to IIS 5 servers". Might not be a bad security policy but I was
expecting a little more sophistication. Along that vein however, I think 
I've seen products combining vulnerability detection, firewall, and IDS
functionality that could theoretically make possible a policy saying
"don't pass traffic to unpatched IIS servers".

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards