Sir,
With todays semi-intelligent firewalls many of them already have the capability
of defending themselves. Many of the Threat Management Platforms on the market
have a basic built in IPS/IDS and if a trigger event is noted the system will
then either black hole the traffic or shunt it.
This capability is not just limited to firewalls, load balancers such as the
Radware series have the capability of dumping or redirecting traffic in the
case of a traffic signature or DDS perceived threat. I have an external load
balancer that redirects any traffic that matches a defense signature to a
"honeypot"
As an example, both our load balancers and firewalls will look at packets for
ones generated by NMAP and dump the packets. If a Nessus scan is used the
firewall automatically black holes the IP address and sends an alert to our
administrators cel phones because these "tappings on the door" are somtetimes a
prelude to something else.
There are even services such as those offered by Symantec in which they monitor
an onsite ManHunt server, if it alerts on traffic it will send the alert to the
Symantec SOC, then modify the organizations firewalls, usually within seconds
of an attack. The SOC will then review to make sure the ManHunt made the
appropriate decision. If it is found to have done so the "security chain of
personnel" at the company is then notified by Symantec of the attack.
It is my opinion, only, that any good security administrator will not let the
unit run and make decisions on its own because there could be the possibility
that the traffic is in fact legitimate and therefore causes issues to the
company. I Nessus and NMAP within our network and our internal firewalls can
and do drop my legitimate scans if I forget to modify them of the scan.
TCP
"coder" <elite.coder@ntlworld.com> 01/19 3:59 AM >>>
Hello everyone,
Some of you may remember my earlier email, I said that I was going to do my
dissertation on a client-side firewall system that can be configured from a
centrally located web interface. Unfortunately most of you responded with
the fact that many companies have already written such a system.
So I have had to think of another project and unfortunately again, my
dissertation supervisor wont let me change top, so I have to think of other
issues with firewalls.
Anyways, I did a search on limitations of current firewall technologies, and
one site said a common misconception is that you run a firewall and that's
it, it takes care of itself. We admins know this, firewall rules have to be
added and modified all the time to deal with new threats and policies. But
it did get me thinking that maybe someone could write a firewall that is
semi-self managed.
So, my idea is, to write a client-side firewall system that can be
configured through a centrally located web interface (which has already been
done) but! interface the firewalls with an IPS/IDS system such as snort...
Snort stores alerts into a database, so, I could just write the firewalls to
look at the database and block off IPs and Ports which are shown in the
alerts. Does such a product already exist? I realise Snort and other IDS
systems give off false positives, that isn't too much of a biggie I could
deal with that in the following way:
The rules generated from the snort database will have some kind of marker,
so that admins know they were generated by snort.
If an admin takes off a firewall rule because it was a false-positive, then
the firewall will know next time it sees that alert that it was a
false-positive.
I'm also thinking that it will help admins find false-positives too... if a
user complains that he cant do something (something that is within company
policies) then you know that one of the alerts generated was a
false-positive and the IDS can be tuned.
Anyways, if you guys called tell me what you think and if there are any
firewall products out there that use IDS/IPS systems to generate rules.
Thank You
~Davie Elliott
---------------------------------
Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new
and used cars.
