Re: Cisco PIX firwalls..

[Frank Knobbe <fknobbe () knobbeits com>]

On Mon, 2002-04-15 at 14:27, counter.spy () gmx de wrote:
> I dont know if anyone is interested in a newbies opinion :)
>
> But I would like to tell you that I _completely_ agree with Erek.
> Firstly I need to tell that I was very fond of active response mechanisms 
>  _before_ I tested those. It seemed to be a cool thing.
> What I found out:
> You can run in a _hell_ of problems using active response mechanisms.
> An example:
> Take a RealSecure Server Sensor with default Windows_Maximum signatures.
> If an attack occurs that triggers a blocking rule, the attacking host will
> be blocked for half an hour. 
> Okay, if I send fake attacks with spoofed IPs I can even prevent the admins
> to connect to their machines or prevent the IDS components to be connected to
> by the console :(
>
> Another example - active Firewall reconfiguration.
> From what I know, you can only block an IP address or a service.
> Wanna DOS a service? If a site uses active Firewall reconfiguration
> you simply have to send lots and lots of spoofed attacks and the whole
> damned
> Internet will be unable to connect to the site (okay, maybe this is somewhat
> exaggerated, but you *really* can generate a lot of trouble).


Detmar,

take a look at SnortSam (http://wwww.snortsam.net). Your (and Erek's)
concerns are valid, but can be countered with a better implementation
(one that does not just does a blind block). I tried to put these
countermeasures in SnortSam because ... well... I was scared myself :) 
Using the threshold mechanism will detect a DoS and turn the active
response off until the attack ends. Also, I strongly recommend blocking
only for short time intervals, not permanently. Well... anyway.... check
out SnortSam and let me know if you have any other suggestions to make
active response safer.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part