Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firewall Disseration

from [Jason Barrett] Network Security [Permanent Link]
Subject: Re: Firewall Disseration
Date: Fri, 20 Jan 2006 16:00:34 -0600
You are essentially talking about host based intrusion detection, or host based firewalls with deep packet inspection.  Entrasys is a commercial product that fulfills this need: http://www.enterasys.com/products/ids/

I'm sure someone will correct me if I am wrong, but I am not aware of any host based intrusion detection/prevention systems for Windows that is centrally managed and based on Snort, so that might be an opportunity for your thesis.

Creating firewall rules based on the port information in the snort database would be limiting.  For instance, several critical vulnerabilities exist that are exploited on outbound port 80.  A firewall rule generated off of this snort rule would block Internet access.  Probably something most companies don't want to do.
Jason A. Barrett
knotam@knotam.com


coder wrote:
Hello everyone,
 
Some of you may remember my earlier email, I said that I was going to do my dissertation on a client-side firewall system that can be configured from a centrally located web interface. Unfortunately most of you responded with the fact that many companies have already written such a system.
So I have had to think of another project and unfortunately again, my dissertation supervisor wont let me change top, so I have to think of other issues with firewalls.
 
Anyways, I did a search on limitations of current firewall technologies, and one site said a common misconception is that you run a firewall and that's it, it takes care of itself. We admins know this, firewall rules have to be added and modified all the time to deal with new threats and policies. But it did get me thinking that maybe someone could write a firewall that is semi-self managed.
 
So, my idea is, to write a client-side firewall system that can be configured through a centrally located web interface (which has already been done) but! interface the firewalls with an IPS/IDS system such as snort... Snort stores alerts into a database, so, I could just write the firewalls to look at the database and block off IPs and Ports which are shown in the alerts. Does such a product already exist? I realise Snort and other IDS systems give off false positives, that isn't too much of a biggie I could deal with that in the following way:
 
The rules generated from the snort database will have some kind of marker, so that admins know they were generated by snort.
If an admin takes off a firewall rule because it was a false-positive, then the firewall will know next time it sees that alert that it was a false-positive.
 
I'm also thinking that it will help admins find false-positives too... if a user complains that he cant do something (something that is within company policies) then you know that one of the alerts generated was a false-positive and the IDS can be tuned.
 
Anyways, if you guys called tell me what you think and if there are any firewall products out there that use IDS/IPS systems to generate rules.
 
Thank You
 
~Davie Elliott
 
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: CheckPoint Splat problem, adrian.coelho
Next by Date:  RE: Firewall Dissertation, coder
Previous by Thread:  Firewall Disseration, coder
Next by Thread:  New Tool: Windows Permission Identifier v1.0, [at]
Indexes:  [Date] [Thread] [Top] [All Lists]