Firewall Wizards mailing list archives
FW MIB - was: How do you fight an attack in progress?
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Tue, 23 Sep 1997 20:04:18 -0400
The firewall MIB thing didn't go far due to my lack of time, minor show of interest and few contributions. Besides, an IETF group tackled the job of defining a general purpose management MIB and even scripting standards to go with it. Alas, every one of their drafts that I managed to look at so far simply says "this document does not address security". As a nod to security the agreed upon transport was (?) SNMPv2. I really should take a day to catch up on their activity, and then take a minute to post to their mailing list and bitch. Question, would adding an MD5 hash/signature to each packet create huge amounts of processor overhead? My understanding is MD5 or signatures are generally low cost. Currently at least some firewalls send SNMP traps as part of an alarm situation. Those could trigger action scripts in the management systems. The problem is defining all the actions you want the system to start taking and gluing all the finger/trace modules on different systems together. Some AI log analysis would be nice. Some network management systems now have programmable agents on remote hosts. You might be able to set those up to launch higher-processing-cost custom-written intrusion-monitors when they get SNMP commands from the central system. Adam --------------- Adam Safier, Network Engineer/Security Consultant GE Information Services, Inc. 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005 Adam.Safier () geis ge com http://www.geis.com I'm proud to live in a country where I can express my personal opinions. The opinions above may not be shared by my employer. ---------------
-----Original Message----- From: John Lines [SMTP:John.Lines () aeat co uk] Sent: Tuesday, September 23, 1997 9:24 AM To: firewall-wizards () nfr net Subject: Re: How do you fight an attack in progress?
....
While on the topic of alerts - there was discussion of a Firewalls MIB on the firewalls list quite a long time ago - did anything come of it ? Many organisations have an existing alerting structure to handle on call support people, duty incident managers etc, often based around an SNMP system. (In the context of this thread I am not sure how useful a Firewalls MIB can be for conveying the full alarm state of the firewall, as to write a MIB you must decide in advance what the full set of alarm conditions might be. When this was last being discussed there was no need for an alarm for "Content Vectoring Protocol scanner has discovered an Internet Explorer exploit in some web page" John Lines
Current thread:
- FW MIB - was: How do you fight an attack in progress? Safier, Adam (GEIS) (Sep 23)
- Re: FW MIB - was: How do you fight an attack in progress? Paul Sangster (Sep 24)