RE: Intrusion Prevention Firewall

[Dave Piscitello <dave () corecom com>]

Not just "insider" attacks...

Scenario:

Organization uses secure remote access via IPsec.
Teleworker uses split tunnel from cable modem.
Teleworker's PC is hacked, attacker installs executable
that can relay traffic from Internet into trusted network.

Attacker's traffic passes opaquely through FW/VPN SG
into inside network.

BTW, I always see this "60% of attacks originate from
inside" number. Has anyone ever examined the incidents
to separate events truly instigated by an insider from events
instigated by an attacker who's installed root kits, etc. on
an internally compromised system? With VPNs and split
tunneling, this is apt to become a much more difficult number
to track. Jerry Dempsey of ISS presented an interesting
VPN facilitated attack anatomy here at Rubi-Con 2002 on
Friday night that really underscores how easy to accomplish
such attacks are when mobile hosts are not using more than
the VPN client for protection.

While you can argue that most IPsec arrangements use
a virtual IP (assigned from the inside address space, or
a secondary address space), the attacker is an outsider.

The kinds of attacks I would want IDS to report and
act upon would be "all the things my external IDS tracks,
and then some..."

At 12:46 PM 4/5/2002 -0500, Pieper Rodney wrote:
> The internal IDS also has responsibility for incidents which originate
> inside the network - (60%). These would be problematic if the response was
> moved to the firewall.


David M. Piscitello
Core Competence, Inc. &
The Internet Security Conference
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
www.corecom.com
www.tisc2002.com
hhi.corecom.com/~yodave/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards