R: Reactive Firewalls

["Franco RUGGIERI" <fruggieri () selfin net>]

I joined this mailing list to learn, so I apologize in advance if my
message is too trivial.

> From what I read on this thread I wonder if a possible step ahead (not
*THE SOLUTION*) could be a firewall (I don't know if there are any) which,
upon recognition of an ongoing attack or when its logfile is full, makes
basically four things:
1) yell like an eagle to warn the administrator (as usual)
2) shut off its connection to the net
3) pass the firewalling task on to another firewall; this will reduce to a
minimum the service interruption, though, probably, cryptographic sessions
and authentication processes still in flight, and the likes, will have to be
restarted;
4) automatically start a procedure that saves the logfile (e.g. on a PC
connected via serial line, as Chapman-Zwickly suggest, where there must be a
number of log saving files to be used in round robin), clears it and reset
the firewall, so it will be ready to take over the task once again.
Maybe a log analizer could be started automatically too, to make the
administrator's task easier.

Could someone spend a few seconds in highliting the shortcomings of this
crazy idea?

TIA.

-----------------------------------------
Franco RUGGIERI
fruggieri () selfin net
It took a kid to say: "The king is naked".

-----Messaggio originale-----
Da: Rick Smith <rsmith () securecomputing com>
A: cbrenton () sover net <cbrenton () sover net>
Cc: Darren Reed <darrenr () cyber com au>; firewall-wizards () nfr net
<firewall-wizards () nfr net>
Data: sabato 14 febbraio 1998 9.12
Oggetto: Re: Reactive Firewalls


> The correct choice between denial of service and degraded security of
> various forms will always come down to one of local policy. Personally, I'm
> more familiar to the notion of shutting down when there are problems, but
> that's because for much of my career the Internet (and Arpanet) were
> perceived as an efficient shortcut for getting work done. The 'Net was not
> an essential communications link like a telephone.
>
> I expect that as time goes on the Internet will get to be more like the
> telephone, not less. I have no doubt that our telecom manager would get
> fired if he had the phone system go down several times (disconnecting
> calls) simply because there was a possibility someone was making an invalid
> call or because the system had trouble keeping records of all calls. The
> practical default is to let calls go through, but make the best possible
> effort to keep things as safe as possible. The name of the game is risk
> reduction. We use the tools we've got, but we're not going to stop every
> threat no matter how cautious we are.
>
> Although I've done incident analysis and I appreciate the value of a good
> audit log, I still recognize that the enterprise didn't install its
> Internet connection simply to keep logs on its use -- they did it to
> improve their ability to do their job. The only time it makes sense to
> interrupt Internet service is if there's a detected danger to the internal
> systems. It's not easy to make this judgement, and you really have to base
> it on how the service interruption will impact ongoing business and the
> perceived value of the Internet connection to the enterprise.
>
> Rick.
> smith () securecomputing com