Firewall Wizards mailing list archives

FW MIB - was: How do you fight an attack in progress?

From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Tue, 23 Sep 1997 20:04:18 -0400

The firewall MIB thing didn't go far due to my lack of time, minor show
of interest and few contributions. Besides, an IETF group tackled the
job of defining a general purpose management MIB and even scripting
standards to go with it.  Alas, every one of their drafts that I managed
to look at so far simply says "this document does not address security".
As a nod to security the agreed upon transport was (?) SNMPv2.  I really
should take a day to catch up on their activity, and then take a minute
to post to their mailing list and bitch.

Question, would adding an MD5 hash/signature to each packet create huge
amounts of processor overhead?  My understanding is MD5 or signatures
are generally low cost.

Currently at least some firewalls send SNMP traps as part of an alarm
situation.  Those could trigger action scripts in the management
systems.  The problem is defining all the actions you want the system to
start taking and gluing all the finger/trace modules on different
systems together.  Some AI log analysis would be nice.  Some network
management systems now have programmable agents on remote hosts. You
might be able to set those up to launch higher-processing-cost
custom-written intrusion-monitors when they get SNMP commands from the
central system.

Adam

---------------
Adam Safier,  Network Engineer/Security Consultant
GE Information Services, Inc.
401 North Washington St., Rockville, Md. 20850
Ph: 301-340-5737    Internal: 8*273-5737   Fax: 301-340-4005
Adam.Safier () geis ge com        http://www.geis.com

I'm proud to live in a country where I can express my personal opinions.
The opinions above may not be shared by my employer.
---------------

-----Original Message-----
From: John Lines [SMTP:John.Lines () aeat co uk]
Sent: Tuesday, September 23, 1997 9:24 AM
To:   firewall-wizards () nfr net
Subject:      Re: How do you fight an attack in progress?

        ....

While on the topic of alerts - there was discussion of a Firewalls MIB
on
the firewalls list quite a long time ago - did anything come of it ?
Many organisations have an existing alerting structure to handle on
call
support people, duty incident managers etc, often based around an SNMP
system.
(In the context of this thread I am not sure how useful a Firewalls
MIB can
be for conveying the full alarm state of the firewall, as to write a
MIB you
must decide in advance what the full set of alarm conditions might be.
When this was last being discussed there was no need for an alarm for
"Content Vectoring Protocol scanner has discovered an Internet
Explorer exploit
in some web page"


              John Lines

Current thread:

FW MIB - was: How do you fight an attack in progress? Safier, Adam (GEIS) (Sep 23)
- Re: FW MIB - was: How do you fight an attack in progress? Paul Sangster (Sep 24)