Re: A fun smackdown...

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 19 May 2005, Chuck Swiger wrote:

> > > I suspect that using greylisting, honeytraps, teergrubes, and similiar
> > > techniques can do a lot to help slow down the spread rates of malware
> > > and spam.  That's one way of making an "allow all" rule less risky
> > > than
> > > the "deny all" rule might be.  Of course, you have to make sure your
> > > honeytrap software is up to the task, which is not as easy as it might
> > > seem.
> >
> > I still don't see that as less risky.
>
> Is it easier to defend against a known attack then against an unknown
> one?

There's not a generic answer for that, it depends on the attack, the
defender's capability and the environment.

> Computers are good at logging and keeping track of the statistics.  The

Yes, but they're not yet good at making up enough of a protocol to get
enough of a response to get a payload, automatically analyzing and
decrypting that payload, etc.  Though operational sites might not be too
interested in things that speak protocols they don't.

> problem is understanding what all of the noise means and presenting it
> to the user in a fashion which helps them make decisions.

Identifying the source of the noise is one way to gain potentially useful
information (i.e. "Is this a new worm, or just a polymorphic copy of one
I've seen before?")

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards