Firewall Wizards mailing list archives
Re: How do you fight an attack in progress?
From: John Lines <John.Lines () aeat co uk>
Date: Tue, 23 Sep 1997 14:24:17 +0100
Neil Readwin wrote :
Just have the firewall page you when someone successfully gets in. If that happens too frequently for your peace of mind then go out and buy a better firewall. Neil.
Ah , you mean when someone almost successfully gets in. By definition a truly successful intruder is the one who is completely undetected by your system. The idea behind having alarms for the known attacks is the hope that the intruder will trip one of those early on, for example by trying some known exploit, before they go on to try their novel variation which bypasses your security. When I see an alarm which indicates that someone has tried something unusually devious I scan our logs to try to identify their history, and do an extra Tripwire run to see if they did get in anywhere. The whole area of where to set off alarms and where to just log for later analysis is tricky, and changes over time. Some probes, for example a simple port scan, are so remote from any chance of breaking in (to a real firewall, rather than an end user machine) that they should be logged rather than being an alarm. Firewall vendors should provide a flexible logging and alerting interface so that this can be tailored according to the requirements of their customers. While on the topic of alerts - there was discussion of a Firewalls MIB on the firewalls list quite a long time ago - did anything come of it ? Many organisations have an existing alerting structure to handle on call support people, duty incident managers etc, often based around an SNMP system. (In the context of this thread I am not sure how useful a Firewalls MIB can be for conveying the full alarm state of the firewall, as to write a MIB you must decide in advance what the full set of alarm conditions might be. When this was last being discussed there was no need for an alarm for "Content Vectoring Protocol scanner has discovered an Internet Explorer exploit in some web page" John Lines
Current thread:
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Marcus J. Ranum (Sep 19)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
- Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
- Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- <Possible follow-ups>
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Rik Harris (Sep 23)