Firewall Wizards mailing list archives

Re: How do you fight an attack in progress?

From: John Lines <John.Lines () aeat co uk>
Date: Tue, 23 Sep 1997 14:24:17 +0100

Neil Readwin wrote :


Just have the firewall page you when someone successfully gets in. If
that happens too frequently for your peace of mind then go out and buy
a better firewall. Neil.


Ah , you mean when someone almost successfully gets in. By definition a
truly successful intruder is the one who is completely undetected by your
system.

The idea behind having alarms for the known attacks is the hope that the
intruder will trip one of those early on, for example by trying some known
exploit, before they go on to try their novel variation which bypasses your
security.

When I see an alarm which indicates that someone has tried something unusually
devious I scan our logs to try to identify their history, and do an extra
Tripwire run to see if they did get in anywhere.

The whole area of where to set off alarms and where to just log for later
analysis is tricky, and changes over time. Some probes, for example a simple
port scan, are so remote from any chance of breaking in (to a real firewall,
rather than an end user machine) that they should be logged rather than being
an alarm. Firewall vendors should provide a flexible logging and alerting
interface so that this can be tailored according to the requirements of
their customers.

While on the topic of alerts - there was discussion of a Firewalls MIB on
the firewalls list quite a long time ago - did anything come of it ?
Many organisations have an existing alerting structure to handle on call
support people, duty incident managers etc, often based around an SNMP system.
(In the context of this thread I am not sure how useful a Firewalls MIB can
be for conveying the full alarm state of the firewall, as to write a MIB you
must decide in advance what the full set of alarm conditions might be.
When this was last being discussed there was no need for an alarm for
"Content Vectoring Protocol scanner has discovered an Internet Explorer exploit
in some web page"


                John Lines

Current thread:

How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Marcus J. Ranum (Sep 19)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
  - Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
  - Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
  - Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- <Possible follow-ups>
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
  - Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
  - Re: How do you fight an attack in progress? Rik Harris (Sep 23)