Re: a cutting-edge open-source network security project

[travis+ml-firewalls () subspacefield org]

On Wed, May 05, 2010 at 11:39:40PM -0500, Frank Knobbe wrote:
> On Sun, 2010-05-02 at 15:48 -0700, travis+ml-firewalls () subspacefield org
> wrote:
> > [...] Another idea is to "federate" against attacks, so that when your IDS
> > (say, snort) detects an attack from an external entity, you block that
> > entity at multiple locations (each of which run DFD, but which may run
> > entirely different OSes and firewalls).  This hasn't been implemented
> > but could prove itself rapidly useful (if engineered carefully).
>
> When you say "this hasn't been implemented", are you referring to DFD?

Well, yes, I mean I haven't implemented a distributed blocking fabric
with DFD.

> I'm just asking because this approach has been around for a while.
> Snortsam is now nearly a decade old and uses the approach of you call
> "federated" defense, which I call "distributed blocking fabric".
> (Snortsam receives block requests from one or more Snort instances and
> blocks on one of more firewalls, or forwards the request to other
> Snortsam instances). And I can attest that this approach works extremely
> well (detect once, protect many).

I see.  I had heard the name snortsam and looking at it, it seems to have
similar goals.

One might characterize these in two ways:
snortsam can block IPs on multiple firewalls
DFD can implement any rule changes on any firewall

> Snortsam as it stands just works :)  and 2) we're enumerating so many
> hostile IP's (even if only blocked for periods of time) that traditional
> firewalls can no longer handle the load.

Yeah, I discuss some other options in the DFD paper:

http://www.subspacefield.org/security/dfd/#tth_sEc7

You'll note I've also linked to snortsam as related work.

>  Which led me to the development
> of a new firewall module that, coupled with a database driven management
> framework, can now handle transient shunning of millions of IP
> addresses. I almost completed my migration from Snortsam to the new
> framework.

Interesting.  What firewall is it for?  iptables?

Pf has something called tables that are supposed to be relatively
dense IP sets.  Not sure if it would scale to your site's size though;
just a possibility.

> Anyway, it looks like your DFD has a couple interesting features (for
> example, the dynamic NAT stuff).

One thing I'd like to do is design a secure protocol for telling the
NAT device to do port forwarding, so that when an app fires up it
can securely send a structured file that does port forwarding.  I ran
into this when trying to play Civ IV online behind a strict firewall;
I had to google for port numbers and so on, and never finished testing
to make sure I had it right.  Very user-unfriendly.
-- 
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john () subspacefield org to get blacklisted.

Attachment: _bin
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards