Re: Request For Comments from Firewall Community

[Martin Hoz <mhoz () gama fime uanl mx>]

William:

Probably another forum for discussing this is the INCIDENTS
forum.

http://www.securityfocus.org/forums/incidents/intro.html

Their goals are precisely about how to track attacks and and how
to deal with these...

Since this is a matter that not only implies about just
"reporting" and "blocking" IP's/subnets, it could be worth
to try with an audience more used about dealing with done
attacks as well as protecting against them (i.e. The Incidents
forum and the firewalls forum).

I like the idea... :-)

Regards.

- Martín.

-- 
Martin H. Hoz-Salvador
EX-A-IEC, EX-A-FIME
http://gama.fime.uanl.mx/~mhoz

"Gimme a firewall sandwich with packet filter bread and 
fast ethernet mustard. No pickles, please.” - A. A.
""'Firewall sandwich with load balancers' sounds good; I'll
 order two with extra mayonaise and a Coca Cola" - C. R. Wilson


William Bartholomew wrote:
> I am making this suggestion based on Ron DuFresne's [dufresne () winternet com]
> email "You're on your own now" last week. I am open to everyone's thoughts
> on whether it is a good idea or not or any suggestions that you may have.
> This has been written very quickly and is intended as an overview of the
> idea only.
>
> Background
>
> As firewall administrators we have all seen a variety of attempts against
> the networks that we have been hired to protect, these attacks range from
> stab-in-the-dark probes to pinpoint purposeful attacks. However, a large
> number of attacks come from a small number of IP addresses, and furthermore
> most of the attacks are aimed at wide-ranges of IP addresses and as such
> affect more than one company and as such affect more than just one firewall
> administrator. The majority of these attacks are harmless (attacks agains
> ports such as 23, 111, 135, 137, and 139) as they are usually stopped by our
> border-firewalls.
>
> Suggestion
>
> What is needed is a facility to allow us to coordinate our efforts to
> protect ourselves from that small number of IP addresses that probe our
> networks CONSTANTLY. The most effective way for us to do this I believe is a
> service similar to ORBS, but instead of tracking open mail relays it tracks
> IP addresses that are known threats. Ideally the system would allow IP
> addresses to be split into categories and then firewall administrators could
> download pre-written rule sets for various firewalls to block the IP
> addresses in the categories that they select. A system such as this would
> quickly reduce the effectiveness of attacks from these IP addresses as
> numerous firewalls would effectively block these ranges even before the
> attack is attempted against them.
>
> Potential Problems
>
> * System could be abused by people blocking good IP addresses
>   - Possible Soln: Firewall administrators have to register to block IP
> addresses
>   - Possible Soln: Multiple requests to block the same IP address have to be
> received before the rule is activated
>   - Possible Soln: Log files have to be provided
>
> * Too many rules may be generated
>   - Possible Soln: Rules may be split into categories and firewall
> administrators can choose which categories they wish to use
>   - Possible Soln: Rules in certain categories may expire after a certain
> time period
>
> * Spoofing of IP addresses
>   - Possible Soln: Protected somewhat by the measures shown under "System
> could be abused by people blocking good IP addresses"
>   - Possible Soln: Rules may be removed by successful application from the
> owner of the IP address/range
>
> Any thoughts on this would be greatly appreciated.
>
> Kind Regards
> William Bartholomew


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com