RE: Intrusion Prevention Firewall

["Berny Stapleton (Sydney Technology)" <berny () technology net au>]

I agree with this point.

I think some attack signatures should be trusted, blatently obvious ones
like TCP/UDP scans from the same host. I think a half hour ban on this
type of traffic, by adding a drop rule, and then deleting it half an
hour later.

I think this would prevent some of the script kiddie attacks that I
think we all see much too often.

Berny

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Gary Flynn
Sent: Thursday, 4 April 2002 1:33 AM
To: Crispin Cowan
Cc: dont; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Intrusion Prevention Firewall


Crispin Cowan wrote:
> But beware: as soon as you hook your IDS to an access control 
> mechanism, so that when the IDS detects something it closes off 
> access, what you have just done is build a flakey access control 
> policy. If you thought the costs of managing IDSs was high, wait until

> you try this :)

If someone were foolish enough to blindly tie one of today's full-blown 
IDS systems to an access control device I'd agree with you. But surely
there are some IDS signatures that can trusted to accurately identify
malicious traffic, and only malicious traffic, and therefore be safe to
use to control access. While there may be a much smaller number of these
"reliable" signatures, they may serve to automatically pick off 
the low hanging fruit and therefore allow more attention to be paid 
elsewhere.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards