-----Original Message-----
From: coder [mailto:elite.coder@ntlworld.com]
Sent: Thursday, January 19, 2006 4:59 AM
To: firewalls@securityfocus.com
Subject: Firewall Dissertation
Hello everyone,
[snip]
So, my idea is, to write a client-side firewall system that can be
configured through a centrally located web interface (which
has already been
done) but! interface the firewalls with an IPS/IDS system
such as snort...
Snort stores alerts into a database, so, I could just write
the firewalls to
look at the database and block off IPs and Ports which are
shown in the
alerts. Does such a product already exist? I realise Snort
Yes. It's called Snort-Inline, and it integrates with iptables. An IPS
is conceptually what you are talking about - it combines an IDS with a
firewall. That's probably too simplistic for some but that's the way I
see it.
and other IDS
systems give off false positives, that isn't too much of a
biggie I could
deal with that in the following way:
The rules generated from the snort database will have some
kind of marker,
so that admins know they were generated by snort.
If an admin takes off a firewall rule because it was a
false-positive, then
the firewall will know next time it sees that alert that it was a
false-positive.
I'm also thinking that it will help admins find
false-positives too... if a
user complains that he cant do something (something that is
within company
policies) then you know that one of the alerts generated was a
false-positive and the IDS can be tuned.
It's a much better idea to run in IDS mode (no blocking) until the admin
understands the type of traffic that should be allowed on the network.
Believe me that most business managers care a lot more about dropped
legitimate traffic than allowed bad traffic (until they get owned of
course...).
I came to work one morning to find the Snort alert "ATTACK-RESPONSES
Microsoft cmd.exe banner" with the classification "successful admin".
Surely, I've been hacked, right? Then I looked at the hosts:
outgoing.securityfocus.com -> our mail server. It was some exploit code
from Bugtraq.
Technology is never the answer, only the tool.
Anyways, if you guys called tell me what you think and if
there are any
firewall products out there that use IDS/IPS systems to
generate rules.
Thank You
~Davie Elliott
I would recommend Snort-Inline since it is open source and there is a
lot of information to be had about it. As far as tuning goes, it depends
on what you want to know. Some people want to know everything that is
trying to hit their network, so they place the IDS outside the firewall.
In my opinion, that provides you with too much information to be useful.
Some people tune their IDS so it only picks up on alerts they are
actually vulnerable to. This is useless too because by the time the
email hits your inbox it's too late.
I prefer an approach somewhere in the middle, with the IDS inside the
firewall and tuning which ignores some traffic but not all that I'm not
vulnerable to. Which traffic depends on what you want to know. Recon is
fairly important to leave in but know that you will get hundreds or
thousands of ping-related alerts a day.
Hope that helps some.
Derick Anderson
