Firewall Wizards mailing list archives

Re: A fun smackdown...

From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 19 May 2005 18:40:38 -0400 (EDT)

On Thu, 19 May 2005, Chuck Swiger wrote:

Now I've got one for you;  Why do some people run firewalls with a
single
"allow all" rule, and what can you do to make that less risky than the
"deny all" example?


A firewall with allow-all is simply a router.


You'd be surprised at the number of "Yes we have a firewall!"'s I've seen
with an allow all...

I've disabled the firewall on my Linksys BEFS81 broadband router I use
at home because the FreeBSD box set up as my DMZ host is set up as a
honeytrap.  A BSD network stack seems to time out TCP connections after
about 10 minutes, if no traffic goes by, but you can get a Windows worm
stuck for days if you reply using a 0 window size.

I suspect that using greylisting, honeytraps, teergrubes, and similiar
techniques can do a lot to help slow down the spread rates of malware
and spam.  That's one way of making an "allow all" rule less risky than
the "deny all" rule might be.  Of course, you have to make sure your
honeytrap software is up to the task, which is not as easy as it might
seem.


I still don't see that as less risky.


Has anyone else tried setting up several honeytraps across their
address space?  Have you noticed a difference in connection rates
between IP addresses at the far ends of your IP range, compared with
honeytrap IP's in the middle?


I haven't, but I know a lot of worms generate addresses to try to infect
with non-random algorithms.  Most people I know who do that sort of thing
tend to grab the first bit of traffic, talking enough of whatever protocol
it is to characterize it and tally it up.  I'd bet the breakdown by
protocol and malcode instance would be interesting, but it's a heck of a
lot of work to keep it updated.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: A fun smackdown..., (continued)
- - - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Adam Shostack (May 21)
    - Re: A fun smackdown... Ryan McBride (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Steven M. Bellovin (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Don Kendrick (May 24)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - RE: A fun smackdown... Bill Royds (May 24)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 20)

(Thread continues...)