RE: SHUN

[Frank Knobbe <fknobbe () knobbeits com>]

On Tue, 2002-12-03 at 14:19, ams67 wrote:
> Thank you for your clear explanation.
> However, I still have a possible 'lame' question to ask. :-)
> Please correct me if I am wrong. If I am the attacker and I do not want
> my ip address blocked by SnortSam, I could lunch a syn-flood attack so I
> achieve a kind of 'fail-open' status. In the meantime, I lunch the real
> attack that will not be blocked as I managed to reach the threshold from
> my previous syn-attack. In this way I can easily evade the functionality
> of SnortSam.

That is correct. If you know that an environment is using SnortSam, and
the admin has the rollback mechanism enabled, then yes, you can pry (and
hold) SnortSam open (your normal firewall rules still apply). There is
no silver bullet for security. The way SnortSam works, I rather have it
fail open than shut. It is designed to augment your security setup, not
replace it. For me, it's perfect to blind scanners and prevent certain
exploits.

There are other devices, like WatchGuards Firebox, that will keep
blocking (afaik) upon detection of a scan. They might be more
susceptible to a DoS.

> I understand that in security, nothing is foolproof, however I still
> think that now tool like SnortSam or Guardian are still too 'fool' to be
> used in a productive/operational environment. 

As I said, WatchGuard uses it in production. And yes, it may not be for
every environment. Neither are Intrusion Protection Devices like
Hogwash.

The security tools, that we currently have, are all in its infancy.
Except maybe firewalls/packet filters. IDS' still suck (except Snort ;)
due to false positives. It all needs time to mature.

Frank

Attachment: signature.asc
Description: This is a digitally signed message part