Re: FW MIB - was: How do you fight an attack in progress?

[sangster () reston ans net (Paul Sangster)]

-----BEGIN PGP SIGNED MESSAGE-----

> The firewall MIB thing didn't go far due to my lack of time, minor show
> of interest and few contributions. Besides, an IETF group tackled the
> job of defining a general purpose management MIB and even scripting
> standards to go with it.  Alas, every one of their drafts that I managed
> to look at so far simply says "this document does not address security".
> As a nod to security the agreed upon transport was (?) SNMPv2.  I really
> should take a day to catch up on their activity, and then take a minute
> to post to their mailing list and bitch.

Too bad a well defined firewall MIB would have been useful for the 
industry.  We support MIB-II and HR-MIB, but those don't give proxy/firewall
specific details that many customers would be looking for.  As for SNMP
(the protocol), political battles prevented security from being an integral
part of SNMPv2 when it was being defined.  I hear the IETF is going to give
it another go.  The effort wasn't a total loss as some good security 
approaches came out of it that effected other efforts.

> Question, would adding an MD5 hash/signature to each packet create huge
> amounts of processor overhead?  My understanding is MD5 or signatures
> are generally low cost.

I don't believe that MD5ing the packets is enough to consider it
secured.  That will just provide fancy checksuming (message digesting).
You'll need some type of secret (or public) keying system to facilitate
a signature that the management station could use to authenticate the
traffic.  I think their is also value in encrypting the traffic so
remote "set" operations can be done securely and privately.  We have 
something along these lines coming out this year.

> Currently at least some firewalls send SNMP traps as part of an alarm
> situation.  Those could trigger action scripts in the management
> systems.  The problem is defining all the actions you want the system to
> start taking and gluing all the finger/trace modules on different
> systems together.  Some AI log analysis would be nice.  Some network
> management systems now have programmable agents on remote hosts. You
> might be able to set those up to launch higher-processing-cost
> custom-written intrusion-monitors when they get SNMP commands from the
> central system.

Having a central intrusion detection system at your management station
could be of real benefit, so it can use inputs from a variety of
different machines (eg. if you have lots of different security
perimeter machines).  Today, some firewall vendors (like ANS) have
added the automated intrusion detection on the firewall and has it do
the re-action to the detected event (including sending of pages,
SNMP traps ... to the management station).  If the re-action software is
flexible it could be setup to send a summary of the logs that we're
considered significant to a central node for a more focused analysis
along with other perimeter inputs.

In general, I like the idea of having the firewall take immediate action
when an attack appears to be in effect (this should be configurable as
everyone has a different idea of when they are being attacked ;-)).  One
problem with having the management station telling the perimeter
machines to perform countermeasures is that the protocol to the
perimeter better be reliable and secure or it could be attacked or
replayed by the bad guy to create a diversion to mask their real
intentions (okay maybe I watched too many Hogan's Heros episodes :-)).

Paul

PS: For information on the InterLock's intrusion detection capability, 
see http://www.ans.net/InterLock/Papers/IL-TB_Thresholder.html.

> Adam
>
> ---------------
> Adam Safier,  Network Engineer/Security Consultant
> GE Information Services, Inc.
> 401 North Washington St., Rockville, Md. 20850
> Ph: 301-340-5737    Internal: 8*273-5737   Fax: 301-340-4005
> Adam.Safier () geis ge com        http://www.geis.com
>
> I'm proud to live in a country where I can express my personal opinions.
> The opinions above may not be shared by my employer.
> ---------------
>
>
> > -----Original Message-----
> > From:       John Lines [SMTP:John.Lines () aeat co uk]
> > Sent:       Tuesday, September 23, 1997 9:24 AM
> > To: firewall-wizards () nfr net
> > Subject:    Re: How do you fight an attack in progress? 
>       ....
>
> > While on the topic of alerts - there was discussion of a Firewalls MIB
> > on
> > the firewalls list quite a long time ago - did anything come of it ?
> > Many organisations have an existing alerting structure to handle on
> > call
> > support people, duty incident managers etc, often based around an SNMP
> > system.
> > (In the context of this thread I am not sure how useful a Firewalls
> > MIB can
> > be for conveying the full alarm state of the firewall, as to write a
> > MIB you
> > must decide in advance what the full set of alarm conditions might be.
> > When this was last being discussed there was no need for an alarm for
> > "Content Vectoring Protocol scanner has discovered an Internet
> > Explorer exploit
> > in some web page"
> >
> >
> >             John Lines

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNCkWwgrwW0NaS5JJAQF63wL9HcEq+LSkFSnNx+NKleX9H9Krf1HgiU6+
FrlsLpLE0BbnKUIBowbOirEDVYqMCVc+UFLF+4RxGV5GKXPAlyX4bjePdFJf8DEM
IQdGrt2gDwrUOCGuEz0TQ+fUfEZ8jInI
=eaqW
-----END PGP SIGNATURE-----