Firewall Wizards mailing list archives
Re: SANS Top Ten and Commercial Firewalls
From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 04 Oct 2002 09:34:52 -0400
manatworkyes moderator wrote:
This is a very good question. I'd like to extend that question to other security solutions. IDS for examples: How many IDS systems can deal with the slapper worm ? How many AV blocks bugbear (Before it was publicly available ?) Do you (or anyone else) knwo if there is any *network based generic* security device that deals with the latest Solaris bug ?
The engines that use anomaly detection can theoretically pick up some of this. For instance, by dropping traffic whose high level protocol fields are oversized, use illegal values, or are otherwise malformed. That, of course, assumes that there are standards for the fields in question and application writers adhere to them so we don't get a million false positives. :) AV software's corresponding method would be heuristics but I get the impression it hasn't been very effective. I suspect this is due to the nature of a general purpose computer in a consumer's hands...too many applications look like viruses and trojans :)
IMO, the SmartDefense stuff, is more then signature blocking. It looks for the roots of the problem. So, if SSLv2 is vulenrable, use only SSLv3.
I'd thought SmartDefense was smarter than that. The approach you described, to me, would be analogous to "if IIS 4 is vulnerable, allow access only to IIS 5 servers". Might not be a bad security policy but I was expecting a little more sophistication. Along that vein however, I think I've seen products combining vulnerability detection, firewall, and IDS functionality that could theoretically make possible a policy saying "don't pass traffic to unpatched IIS servers". -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SANS Top Ten and Commercial Firewalls, (continued)
- Re: SANS Top Ten and Commercial Firewalls George J. Jahchan (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls ark (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls Paul D. Robertson (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls ark (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls Paul D. Robertson (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls Paul D. Robertson (Oct 04)
- RE:SANS Top Ten and Commercial Firewalls manatworkyes moderator (Oct 02)
- Re: SANS Top Ten and Commercial Firewalls Kevin Steves (Oct 03)
- Re: SANS Top Ten and Commercial Firewalls Gary Flynn (Oct 03)
- Re: SANS Top Ten and Commercial Firewalls manatworkyes moderator (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls Paul D. Robertson (Oct 04)
- Re: SANS Top Ten and Commercial Firewalls Gary Flynn (Oct 04)