Re: RE: IDS

[Chuck Swiger <chuck () codefab com>]

Ben Nagy wrote:
[ ... ]
> [Paul]
> > If you mean "unexpected internal host" then again, I'll say that there's 
> > likey been a larger policy or implementation failure. It doesn't take 
> > on-the-wire sniffing to see something new trying to relay through the relay
> > host on my network.
>
> What's your preferred method for noticing this stuff? (I'm certainly not
> being sarcastic here)
> If an internal host is trying to reach port 25 on an external host (or even
> a non-mailserver on the inside) then how do you suggest that should be
> detected? The firewall deny logs will catch the outbound traffic, but now
> we're talking log analysis tools or SIM products to pull the data. What
> about the internal traffic from trusted host -> trusted host?

If you're not running a firewall that doesn't let you decide which rules should 
generate logging, then yes, you're going to need to do more work to analyze 
those logs.

However, some time ago, before viruses came with their own SMTP engines, an IPFW 
ruleset like this worked pretty well:

# permit SMTP exchange between pi and pong
add pass tcp from PI HIPORTS to PONG 25 setup
add pass tcp from PONG 25 to PI HIPORTS established

add pass tcp from PONG HIPORTS to PI 25 setup
add pass tcp from PI 25 to PONG HIPORTS established

# track SMTP from inside to outside and block SMTP from outside
add pass log logamount 20 tcp from INET HIPORTS to any 25 setup
add pass tcp from INET HIPORTS to any 25 established
add unreach filter-prohib log tcp from any to INET 25

[ Where PI and PONG are macros which expand to the IP addresses of my external 
MX relay and the internal reader box, HIPORTS means 1024-65535, and INET refers 
to the internal network. ]

--
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards