Davie
In the early days of Network IPS when IDS vendors simply ported over
signature databases and packaged Inline IDS as IPS the idea of active
response was common. Active Response entails sending TCP RST packets to both
ends of a connection to drop malicious traffic and through the use of
shunning or automatic adding of Firewall rules. This seems to be something
similar to what you are trying to achieve on the host side. By strict
definition an IPS should be able to provide access control without relying
on other security devices on the network. So next generation Intrusion
Prevention has already evolved beyond the rather iffy technology of active
response. It's exactly your point about false positives that made auto
updating of FW rules to be something that most companies weren't willing to
implement.
To play with Active Response on Snort you must run your UNIX configure
script with the flexresp switch as follows:
./configure -enable-flexresp
Check out the following SANS FAQ.
http://www.sans.org/resources/idfaq/active.php
Has what you're attempting been done before? Yeah kinda.
David.
"coder" <elite.coder@ntlworld.com>
No Phone Info Available
01/19/2006 05:59 PM
To
<firewalls@securityfocus.com>
cc
Subject
Firewall Dissertation
Hello everyone,
Some of you may remember my earlier email, I said that I was going to do
my dissertation on a client-side firewall system that can be configured
from
a centrally located web interface. Unfortunately most of you responded with
the fact that many companies have already written such a system.
So I have had to think of another project and unfortunately again, my
dissertation supervisor wont let me change top, so I have to think of
other
issues with firewalls.
Anyways, I did a search on limitations of current firewall technologies,
and
one site said a common misconception is that you run a firewall and that's
it, it takes care of itself. We admins know this, firewall rules have to
be
added and modified all the time to deal with new threats and policies. But
it did get me thinking that maybe someone could write a firewall that is
semi-self managed.
So, my idea is, to write a client-side firewall system that can be
configured through a centrally located web interface (which has already
been
done) but! interface the firewalls with an IPS/IDS system such as snort...
Snort stores alerts into a database, so, I could just write the firewalls
to
look at the database and block off IPs and Ports which are shown in the
alerts. Does such a product already exist? I realise Snort and other IDS
systems give off false positives, that isn't too much of a biggie I could
deal with that in the following way:
The rules generated from the snort database will have some kind of marker,
so that admins know they were generated by snort.
If an admin takes off a firewall rule because it was a false-positive,
then
the firewall will know next time it sees that alert that it was a
false-positive.
I'm also thinking that it will help admins find false-positives too... if
a
user complains that he cant do something (something that is within company
policies) then you know that one of the alerts generated was a
false-positive and the IDS can be tuned.
Anyways, if you guys called tell me what you think and if there are any
firewall products out there that use IDS/IPS systems to generate rules.
Thank You
~Davie Elliott
_________________________________________________________________
FREE English Booklet! Improve your English.
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN03-08ETFJ-0211E
