Firewall Wizards mailing list archives
RE: Intrusion Prevention Firewall
From: Dave Piscitello <dave () corecom com>
Date: Sun, 07 Apr 2002 08:37:06 -0500
Not just "insider" attacks... Scenario: Organization uses secure remote access via IPsec. Teleworker uses split tunnel from cable modem. Teleworker's PC is hacked, attacker installs executable that can relay traffic from Internet into trusted network. Attacker's traffic passes opaquely through FW/VPN SG into inside network. BTW, I always see this "60% of attacks originate from inside" number. Has anyone ever examined the incidents to separate events truly instigated by an insider from events instigated by an attacker who's installed root kits, etc. on an internally compromised system? With VPNs and split tunneling, this is apt to become a much more difficult number to track. Jerry Dempsey of ISS presented an interesting VPN facilitated attack anatomy here at Rubi-Con 2002 on Friday night that really underscores how easy to accomplish such attacks are when mobile hosts are not using more than the VPN client for protection. While you can argue that most IPsec arrangements use a virtual IP (assigned from the inside address space, or a secondary address space), the attacker is an outsider. The kinds of attacks I would want IDS to report and act upon would be "all the things my external IDS tracks, and then some..." At 12:46 PM 4/5/2002 -0500, Pieper Rodney wrote:
The internal IDS also has responsibility for incidents which originate inside the network - (60%). These would be problematic if the response was moved to the firewall.
David M. Piscitello Core Competence, Inc. & The Internet Security Conference 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com www.corecom.com www.tisc2002.com hhi.corecom.com/~yodave/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Prevention Firewall, (continued)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 03)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 04)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
- Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 05)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 06)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 08)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 06)
- Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 16)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)
- Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 18)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)