Firewall Wizards mailing list archives
RE: Lists of IP's we should be blocking
From: Mark.Boltz () stonesoft com
Date: Sun, 12 Dec 2004 18:58:11 -0500
Hi,
On a professional level I wouldn't like to cut legitimate clients off.
On a
personal level I believe that all hackers (in the criminal sense of the word) should be hung from the nearest flagpole, or absenting that,
covered
in honey and staked over an ant nest. They're like the drivers in South
Yeah, presuming you give them due process first. :-)
It's all blame the hacker, blame the writer of the program, blame the insecure operating system or lack of firewalling or whatever. Slashdot carried a article about George Tenet saying that only security-aware
people
should be allowed access to the global internet and the users. And the
Ah but for the security stuff, often-times it *IS* still us to blame. I'm certainly not going to get my mom and dad to accomplish more than basic security on their home PC. I at least got them to put on a personal firewall, keep up with Windows updates and the latest anti-virus. And that's more than some. But you'll never get the dumbest off the 'net by making it based on security, because there won't be enough business/commerce/etc. then. I'd love to personally go back to 1990 sometimes, when I was at a university, and universities were pretty much the only ones connected. But then the security was much worse, and the 'net nowhere near as interesting as it is now. So nah, killing all the users isn't the answer. :-)
Now here's a plan I've been working on, and partly built in our network. It's a temporary blacklist based on Snort IDS and our PIXes. Working
from
inside to out, if Snort detects an intrusion on the network, we
dynamically
throw them into the shun list for five minutes at which point they get
Wonderful. So all I need to piss off your cusotmers is to spoof their IPs and have your system do the rest of the work... :-) The problem with all of these ideas is that they rely on stuff that is based on the machines and technology, not the users, for identification.
So what about this? You take several hundred Snort-based detectors
scattered
around the Internet, all reporting to a small number of highly secure machines via custom software. These IDS keep a look for a limited number
of
intrusions and report first and repeat offenses to the central machines. Based on frequency of offenses, number of repeat offenses and severity
of
the offense, the source of the offense goes into a blacklist and e-mail
is
sent to the abuse@ address. Use this to put pressure on ISPs to detect
and
block this sort of thing in the same way, offer them the software
solution
for free to let them do it.
How about we just get the ISPs to put the proper ingress and egress filtering in their routers and switches in the first place? If everyone upstream would do that, I should not see most of the virus traffic and scans in the first place. Just cover the SANS Top 10 in general and really, truly ONLY ALLOW WHAT IS NEEDED. Linksys, NetGear and D-Link could do the world a favor and configure home cable/DSL routers to only allow HTTP, SMTP, and FTP out by default. Instead of everything, including NetBIOS and other stuff that should never leave the local LAN. The rest of us who need other services should be capable enough to configure it to be more open. Really, "whack a mole" (credit to mjr?) is not the answer...the problem is people allow much more than just known good traffic. Mark Boltz
Current thread:
- Lists of IP's we should be blocking Bruce Smith (Dec 11)
- Re: Lists of IP's we should be blocking Devdas Bhagat (Dec 12)
- Re: Lists of IP's we should be blocking Crispin Cowan (Dec 12)
- Re: Lists of IP's we should be blocking Adam Shostack (Dec 12)
- Re: Lists of IP's we should be blocking Paul D. Robertson (Dec 12)
- Re: Lists of IP's we should be blocking Crispin Cowan (Dec 12)
- Re: Lists of IP's we should be blocking Paul D. Robertson (Dec 12)
- RE: Lists of IP's we should be blocking Bruce Smith (Dec 12)
- RE: Lists of IP's we should be blocking Mark . Boltz (Dec 12)
- Re: Lists of IP's we should be blocking Adam Shostack (Dec 12)