Firewall Wizards mailing list archives
RE: Intrusion Prevention Firewall
From: "Berny Stapleton (Sydney Technology)" <berny () technology net au>
Date: Fri, 12 Apr 2002 00:44:05 +1000
I agree with this point. I think some attack signatures should be trusted, blatently obvious ones like TCP/UDP scans from the same host. I think a half hour ban on this type of traffic, by adding a drop rule, and then deleting it half an hour later. I think this would prevent some of the script kiddie attacks that I think we all see much too often. Berny -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of Gary Flynn Sent: Thursday, 4 April 2002 1:33 AM To: Crispin Cowan Cc: dont; firewall-wizards () nfr com Subject: Re: [fw-wiz] Intrusion Prevention Firewall Crispin Cowan wrote:
But beware: as soon as you hook your IDS to an access control mechanism, so that when the IDS detects something it closes off access, what you have just done is build a flakey access control policy. If you thought the costs of managing IDSs was high, wait until
you try this :)
If someone were foolish enough to blindly tie one of today's full-blown IDS systems to an access control device I'd agree with you. But surely there are some IDS signatures that can trusted to accurately identify malicious traffic, and only malicious traffic, and therefore be safe to use to control access. While there may be a much smaller number of these "reliable" signatures, they may serve to automatically pick off the low hanging fruit and therefore allow more attention to be paid elsewhere. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
- RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)