Security Incidents mailing list archives
Re: Request For Comments from Firewall Community
From: Martin Hoz <mhoz () gama fime uanl mx>
Date: Tue, 17 Jul 2001 21:16:44 -0600
William: Probably another forum for discussing this is the INCIDENTS forum. http://www.securityfocus.org/forums/incidents/intro.html Their goals are precisely about how to track attacks and and how to deal with these... Since this is a matter that not only implies about just "reporting" and "blocking" IP's/subnets, it could be worth to try with an audience more used about dealing with done attacks as well as protecting against them (i.e. The Incidents forum and the firewalls forum). I like the idea... :-) Regards. - Martín. -- Martin H. Hoz-Salvador EX-A-IEC, EX-A-FIME http://gama.fime.uanl.mx/~mhoz "Gimme a firewall sandwich with packet filter bread and fast ethernet mustard. No pickles, please. - A. A. ""'Firewall sandwich with load balancers' sounds good; I'll order two with extra mayonaise and a Coca Cola" - C. R. Wilson William Bartholomew wrote:
I am making this suggestion based on Ron DuFresne's [dufresne () winternet com] email "You're on your own now" last week. I am open to everyone's thoughts on whether it is a good idea or not or any suggestions that you may have. This has been written very quickly and is intended as an overview of the idea only. Background As firewall administrators we have all seen a variety of attempts against the networks that we have been hired to protect, these attacks range from stab-in-the-dark probes to pinpoint purposeful attacks. However, a large number of attacks come from a small number of IP addresses, and furthermore most of the attacks are aimed at wide-ranges of IP addresses and as such affect more than one company and as such affect more than just one firewall administrator. The majority of these attacks are harmless (attacks agains ports such as 23, 111, 135, 137, and 139) as they are usually stopped by our border-firewalls. Suggestion What is needed is a facility to allow us to coordinate our efforts to protect ourselves from that small number of IP addresses that probe our networks CONSTANTLY. The most effective way for us to do this I believe is a service similar to ORBS, but instead of tracking open mail relays it tracks IP addresses that are known threats. Ideally the system would allow IP addresses to be split into categories and then firewall administrators could download pre-written rule sets for various firewalls to block the IP addresses in the categories that they select. A system such as this would quickly reduce the effectiveness of attacks from these IP addresses as numerous firewalls would effectively block these ranges even before the attack is attempted against them. Potential Problems * System could be abused by people blocking good IP addresses - Possible Soln: Firewall administrators have to register to block IP addresses - Possible Soln: Multiple requests to block the same IP address have to be received before the rule is activated - Possible Soln: Log files have to be provided * Too many rules may be generated - Possible Soln: Rules may be split into categories and firewall administrators can choose which categories they wish to use - Possible Soln: Rules in certain categories may expire after a certain time period * Spoofing of IP addresses - Possible Soln: Protected somewhat by the measures shown under "System could be abused by people blocking good IP addresses" - Possible Soln: Rules may be removed by successful application from the owner of the IP address/range Any thoughts on this would be greatly appreciated. Kind Regards William Bartholomew
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Request For Comments from Firewall Community Martin Hoz (Jul 17)