Firewall Wizards mailing list archives
Re: Reactive Firewalls
From: tqbf () joshua enteract com
Date: Wed, 11 Feb 1998 16:16:55 -0600 (CST)
At Wed, 11 Feb 1998 10:09:31 -0600 Rick Smith Wrote:
Sidewinder is reactive only to the point of trying to collect additional information and send alerts to the site admin.
Point taken, so understand that I don't refer to Sidewinder when I say:
These decisions are based on information collected from processes inside Sidewinder, and try to deduce when an outsider is doing something bad.
Careful there. Just because information was obtained from "within" Sidewinder doesn't make it trusted. This is a common misconception people have had prior to reading our paper with regards to WheelGroup's NetRanger; people assume that, since it's wrapped up with a router (I don't know the specific architecture of NetRanger WRT the BorderGuard it ties into), it's not a "passive monitor". From our perspective, traffic monitors are: Active if they are an active participant in the protocol they're monitoring; ie, a TCP proxy can be an active monitor, as it becomes a connection endpoint and thus "normalizes" (excuse my hijacking of math terminology) packet flow to the actual destination, or, Passive in almost any other case I can think of, including the case where packets are being analyzed inside of a router before being forwarded on. The big difference here is that there are traffic analysis conclusions you can come to when you're an active participant (for instance, the reassembly of a series of IP fragments) that you cannot come to as a passive monitor (without significant secondary sources of information). Sidewinder is (from what I understand of it, and I'm sure you'll correct me) an application gateway firewall built around proxies. If you obtain traffic information from Sidewinder at the right level, you may have a reliable basis to draw conclusions about the presence of attacks. However, if you watch packets using a packet capture device, or as they pass through Sidewinder-OS's equivalent of ipintr(), your monitoring components are passive with respect to the actual traffic. How does this fit in with the posts we've seen regarding reactive firewalls? When Aleph speaks about "reactive" firewalls, I assume he refers to systems that are driven by some sort of attack detection system, which dynamically reconfigure access control devices. WheelGroup NetRanger is a perfect example of this, especially because people really do configure NetRanger as a "dynamic reactive firewall". If your reactive firewall works like NetRanger does, it's driving access control devices off of traffic analysis results obtained from an unreliable source (passive analysis). It's not just that you get false positives by doing this --- an attacker can, with a bit of finesse, slip past systems configured like this, and, without any skill whatsoever, can force the system into blacklisting innocent addresses (hence Aleph's "non-authenticated possible bogus data" comment). This takes us to:
There could be a false alarm problem with this, but that's true of any security measure.
The false alarm problem is much more serious with "adaptive" security systems, because mistaken false alarms can be leveraged by an attacker to perform network-level denial of service attacks. The fact that the false-positive problem is so obviously hard to defend against speaks to the fact that "adaptive network security" is dangerous and immature. You seem to agree with me on this anyways. I just wanted to clarify. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- RE: Reactive Firewalls Stout, William (Feb 10)
- <Possible follow-ups>
- Re: Reactive Firewalls tqbf (Feb 11)
- Re: Reactive Firewalls Darren Reed (Feb 11)
- Re: Reactive Firewalls John Lines (Feb 12)
- Re: Reactive Firewalls Rick Smith (Feb 12)
- Re: Reactive Firewalls Chris Brenton (Feb 13)
- Re: Reactive Firewalls Rick Smith (Feb 13)
- Re: Reactive Firewalls Joseph S. D. Yao (Feb 13)
- Re: Reactive Firewalls Rachel Rosencrantz (Feb 13)
- Re: Reactive Firewalls Rick Smith (Feb 16)