Firewall Wizards mailing list archives
Re: a cutting-edge open-source network security project
From: travis+ml-firewalls () subspacefield org
Date: Fri, 7 May 2010 15:31:12 -0700
On Wed, May 05, 2010 at 11:39:40PM -0500, Frank Knobbe wrote:
On Sun, 2010-05-02 at 15:48 -0700, travis+ml-firewalls () subspacefield org wrote:[...] Another idea is to "federate" against attacks, so that when your IDS (say, snort) detects an attack from an external entity, you block that entity at multiple locations (each of which run DFD, but which may run entirely different OSes and firewalls). This hasn't been implemented but could prove itself rapidly useful (if engineered carefully).When you say "this hasn't been implemented", are you referring to DFD?
Well, yes, I mean I haven't implemented a distributed blocking fabric with DFD.
I'm just asking because this approach has been around for a while. Snortsam is now nearly a decade old and uses the approach of you call "federated" defense, which I call "distributed blocking fabric". (Snortsam receives block requests from one or more Snort instances and blocks on one of more firewalls, or forwards the request to other Snortsam instances). And I can attest that this approach works extremely well (detect once, protect many).
I see. I had heard the name snortsam and looking at it, it seems to have similar goals. One might characterize these in two ways: snortsam can block IPs on multiple firewalls DFD can implement any rule changes on any firewall
Snortsam as it stands just works :) and 2) we're enumerating so many hostile IP's (even if only blocked for periods of time) that traditional firewalls can no longer handle the load.
Yeah, I discuss some other options in the DFD paper: http://www.subspacefield.org/security/dfd/#tth_sEc7 You'll note I've also linked to snortsam as related work.
Which led me to the development of a new firewall module that, coupled with a database driven management framework, can now handle transient shunning of millions of IP addresses. I almost completed my migration from Snortsam to the new framework.
Interesting. What firewall is it for? iptables? Pf has something called tables that are supposed to be relatively dense IP sets. Not sure if it would scale to your site's size though; just a possibility.
Anyway, it looks like your DFD has a couple interesting features (for example, the dynamic NAT stuff).
One thing I'd like to do is design a secure protocol for telling the NAT device to do port forwarding, so that when an app fires up it can securely send a structured file that does port forwarding. I ran into this when trying to play Civ IV online behind a strict firewall; I had to google for port numbers and so on, and never finished testing to make sure I had it right. Very user-unfriendly. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email john () subspacefield org to get blacklisted.
Attachment:
_bin
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- a cutting-edge open-source network security project travis+ml-firewalls (May 03)
- Re: a cutting-edge open-source network security project Frank Knobbe (May 06)
- Re: a cutting-edge open-source network security project ArkanoiD (May 07)
- Re: a cutting-edge open-source network security project travis+ml-firewalls (May 17)
- Re: a cutting-edge open-source network security project travis+ml-firewalls (May 07)
- Re: a cutting-edge open-source network security project ArkanoiD (May 07)
- Re: a cutting-edge open-source network security project Darren Reed (May 19)
- Re: a cutting-edge open-source network security project Thomas Ptacek (May 20)
- Re: a cutting-edge open-source network security project Darren Reed (May 20)
- Re: a cutting-edge open-source network security project Thomas Ptacek (May 20)
- Re: a cutting-edge open-source network security project Frank Knobbe (May 06)