Firewall Wizards mailing list archives

Re: SANS Top Ten and Commercial Firewalls

From: "H. Morrow Long" <morrow.long () yale edu>
Date: Wed, 02 Oct 2002 16:23:05 -0400

Sounds like you want wun o' them thar new firewalls
with inline IDS system built in.

Most traditional firewalls to date (even those doing
content inspection) wouldn't recognize the signature
for these attacks and block the traffic and you would
only be safe if you blocked the service ports (e.g.
TCP 80 for #1 and #2, 1433 for #3, 135 to 139 for W4
to W9, etc.).

I'd suspect that some proxy based firewalls could be
effective at blocking some of these attacks just by
laundering/cleansing the traffic bidirectionally and
washing out the malicious attacks somehow.

However, there are supposed to be new generation firewalls
out with built in inline IDS systems (signature AND
anomalous behaviour based attack recognition).  I'd be
interested in hearing about their layer 5 through 7
firewall/IDS capabilities.

H. Morrow Long

Gary Flynn wrote:

Being efficient (as opposed to being lazy :) I thought
I'd pose a question here to a body of folks familiar with

the firewall marketplace rather than scour individualcommercial web sites where details are often rare.

Of the SANS "Twenty Most Critical Internet SecurityVulnerabilities" ( http://www.sans.org/top20 )how many are addressed by the majority of commercialfirewalls without resorting to blocking the associatedport and service entirely?


In other words, how many of them can detect and block
things like:

W1. IIS malicious requests for cmd.exe and sample files
    and buffer overflows.
W2. Requests for MDAC access
W3. Malicious SQL Server requests based on patched defects or
    sa access without a password.
W5. Null netbios access (as opposed to all netbios access)
W6. Netbios sessions based on LM Hash.
W7. Netbios sessions to accounts with no passwords.
W8. Malicious HTTP responses exploiting IE defects.
W9. Remote Registry Access
U1. Malicious RPC calls
U2. Malicious HTTP calls to Apache web servers exploiting the
    OpenSSL or Apache chunk handling defects.
U3. Malicious SSH requests exploiting SSH defects.
U4. Malicious SNMP requests or requests with the community
    name blank or equal to "public".
U5. Malicious requests to FTP servers exploiting wu-ftp defects.
U7. Malicious requests to the line printer daemon.
U8. Malicious requests to sendmail.
U9. Malicious requests to bind.

I know there will be variances and subsets but I was hoping
to get some kind of general feeling for the overall coverage.
If you know of a better place to pose the question, please
let me know.

thanks,



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

SANS Top Ten and Commercial Firewalls Gary Flynn (Oct 02)
- Re: SANS Top Ten and Commercial Firewalls H. Morrow Long (Oct 02)
- Re: SANS Top Ten and Commercial Firewalls Devdas Bhagat (Oct 02)
  - stealth ports and IDS James X (Oct 03)
    - Re: stealth ports and IDS Anton A. Chuvakin (Oct 03)
    - Re: stealth ports and IDS Kevin Steves (Oct 03)
    - Re: stealth ports and IDS Paul D. Robertson (Oct 03)
    - Re: stealth ports and IDS Robert McMahon (Oct 03)
    - Re: stealth ports and IDS Nilesh Chaudhari (Oct 05)
    - Re: stealth ports and IDS Zen (Oct 03)
    - Re: stealth ports and IDS Paul D. Robertson (Oct 03)
    - Re: stealth ports and IDS Todd Underwood (Oct 03)

(Thread continues...)