Firewall Wizards mailing list archives
R: Reactive Firewalls
From: "Franco RUGGIERI" <fruggieri () selfin net>
Date: Sun, 15 Feb 1998 11:47:37 +0100
I joined this mailing list to learn, so I apologize in advance if my message is too trivial.
From what I read on this thread I wonder if a possible step ahead (not
*THE SOLUTION*) could be a firewall (I don't know if there are any) which, upon recognition of an ongoing attack or when its logfile is full, makes basically four things: 1) yell like an eagle to warn the administrator (as usual) 2) shut off its connection to the net 3) pass the firewalling task on to another firewall; this will reduce to a minimum the service interruption, though, probably, cryptographic sessions and authentication processes still in flight, and the likes, will have to be restarted; 4) automatically start a procedure that saves the logfile (e.g. on a PC connected via serial line, as Chapman-Zwickly suggest, where there must be a number of log saving files to be used in round robin), clears it and reset the firewall, so it will be ready to take over the task once again. Maybe a log analizer could be started automatically too, to make the administrator's task easier. Could someone spend a few seconds in highliting the shortcomings of this crazy idea? TIA. ----------------------------------------- Franco RUGGIERI fruggieri () selfin net It took a kid to say: "The king is naked". -----Messaggio originale----- Da: Rick Smith <rsmith () securecomputing com> A: cbrenton () sover net <cbrenton () sover net> Cc: Darren Reed <darrenr () cyber com au>; firewall-wizards () nfr net <firewall-wizards () nfr net> Data: sabato 14 febbraio 1998 9.12 Oggetto: Re: Reactive Firewalls
The correct choice between denial of service and degraded security of various forms will always come down to one of local policy. Personally, I'm more familiar to the notion of shutting down when there are problems, but that's because for much of my career the Internet (and Arpanet) were perceived as an efficient shortcut for getting work done. The 'Net was not an essential communications link like a telephone. I expect that as time goes on the Internet will get to be more like the telephone, not less. I have no doubt that our telecom manager would get fired if he had the phone system go down several times (disconnecting calls) simply because there was a possibility someone was making an invalid call or because the system had trouble keeping records of all calls. The practical default is to let calls go through, but make the best possible effort to keep things as safe as possible. The name of the game is risk reduction. We use the tools we've got, but we're not going to stop every threat no matter how cautious we are. Although I've done incident analysis and I appreciate the value of a good audit log, I still recognize that the enterprise didn't install its Internet connection simply to keep logs on its use -- they did it to improve their ability to do their job. The only time it makes sense to interrupt Internet service is if there's a detected danger to the internal systems. It's not easy to make this judgement, and you really have to base it on how the service interruption will impact ongoing business and the perceived value of the Internet connection to the enterprise. Rick. smith () securecomputing com
Current thread:
- R: Reactive Firewalls Franco RUGGIERI (Feb 15)
- Re: R: Reactive Firewalls Rick Smith (Feb 16)