Firewall Wizards mailing list archives
Re: FW MIB - was: How do you fight an attack in progress?
From: sangster () reston ans net (Paul Sangster)
Date: Wed, 24 Sep 1997 09:33:55 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
The firewall MIB thing didn't go far due to my lack of time, minor show of interest and few contributions. Besides, an IETF group tackled the job of defining a general purpose management MIB and even scripting standards to go with it. Alas, every one of their drafts that I managed to look at so far simply says "this document does not address security". As a nod to security the agreed upon transport was (?) SNMPv2. I really should take a day to catch up on their activity, and then take a minute to post to their mailing list and bitch.
Too bad a well defined firewall MIB would have been useful for the industry. We support MIB-II and HR-MIB, but those don't give proxy/firewall specific details that many customers would be looking for. As for SNMP (the protocol), political battles prevented security from being an integral part of SNMPv2 when it was being defined. I hear the IETF is going to give it another go. The effort wasn't a total loss as some good security approaches came out of it that effected other efforts.
Question, would adding an MD5 hash/signature to each packet create huge amounts of processor overhead? My understanding is MD5 or signatures are generally low cost.
I don't believe that MD5ing the packets is enough to consider it secured. That will just provide fancy checksuming (message digesting). You'll need some type of secret (or public) keying system to facilitate a signature that the management station could use to authenticate the traffic. I think their is also value in encrypting the traffic so remote "set" operations can be done securely and privately. We have something along these lines coming out this year.
Currently at least some firewalls send SNMP traps as part of an alarm situation. Those could trigger action scripts in the management systems. The problem is defining all the actions you want the system to start taking and gluing all the finger/trace modules on different systems together. Some AI log analysis would be nice. Some network management systems now have programmable agents on remote hosts. You might be able to set those up to launch higher-processing-cost custom-written intrusion-monitors when they get SNMP commands from the central system.
Having a central intrusion detection system at your management station could be of real benefit, so it can use inputs from a variety of different machines (eg. if you have lots of different security perimeter machines). Today, some firewall vendors (like ANS) have added the automated intrusion detection on the firewall and has it do the re-action to the detected event (including sending of pages, SNMP traps ... to the management station). If the re-action software is flexible it could be setup to send a summary of the logs that we're considered significant to a central node for a more focused analysis along with other perimeter inputs. In general, I like the idea of having the firewall take immediate action when an attack appears to be in effect (this should be configurable as everyone has a different idea of when they are being attacked ;-)). One problem with having the management station telling the perimeter machines to perform countermeasures is that the protocol to the perimeter better be reliable and secure or it could be attacked or replayed by the bad guy to create a diversion to mask their real intentions (okay maybe I watched too many Hogan's Heros episodes :-)). Paul PS: For information on the InterLock's intrusion detection capability, see http://www.ans.net/InterLock/Papers/IL-TB_Thresholder.html.
Adam --------------- Adam Safier, Network Engineer/Security Consultant GE Information Services, Inc. 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005 Adam.Safier () geis ge com http://www.geis.com I'm proud to live in a country where I can express my personal opinions. The opinions above may not be shared by my employer. --------------------Original Message----- From: John Lines [SMTP:John.Lines () aeat co uk] Sent: Tuesday, September 23, 1997 9:24 AM To: firewall-wizards () nfr net Subject: Re: How do you fight an attack in progress?....While on the topic of alerts - there was discussion of a Firewalls MIB on the firewalls list quite a long time ago - did anything come of it ? Many organisations have an existing alerting structure to handle on call support people, duty incident managers etc, often based around an SNMP system. (In the context of this thread I am not sure how useful a Firewalls MIB can be for conveying the full alarm state of the firewall, as to write a MIB you must decide in advance what the full set of alarm conditions might be. When this was last being discussed there was no need for an alarm for "Content Vectoring Protocol scanner has discovered an Internet Explorer exploit in some web page" John Lines
-----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBNCkWwgrwW0NaS5JJAQF63wL9HcEq+LSkFSnNx+NKleX9H9Krf1HgiU6+ FrlsLpLE0BbnKUIBowbOirEDVYqMCVc+UFLF+4RxGV5GKXPAlyX4bjePdFJf8DEM IQdGrt2gDwrUOCGuEz0TQ+fUfEZ8jInI =eaqW -----END PGP SIGNATURE-----
Current thread:
- FW MIB - was: How do you fight an attack in progress? Safier, Adam (GEIS) (Sep 23)
- Re: FW MIB - was: How do you fight an attack in progress? Paul Sangster (Sep 24)