Just out of interest, if your client-side firewall is monitoring packets to
block certain connections... wouldnt this be a bit ineffective.
From what I understand, when IDS systems such as Snort monitor a packet, other
packets slip by... and as will be happening on a client where most of the
processing power will be focused on the apps the user is running, even more
packets will slip by.
Which is one reason why im suggesting a dedicated Snort machine be set up that
the firewall can interface with. I realise that Snort it only one
implimentation of an IDS, but I only have 2 months to write a thesis and I can
say that if somone wants to take on the project they can adapt it to use other
IDS systems.
And lastly, for "moronic" rules that Snort might get the firewall to apply
(e.g. if there is an attack on port 80, the firewall will block port 80), the
admins can put these rules into the ignore table I wil create.
Cheers,
Davie
coder wrote:
Hello everyone,
Some of you may remember my earlier email, I said that I was going to do my
dissertation on a client-side firewall system that can be configured from a
centrally located web interface. Unfortunately most of you responded with the
fact that many companies have already written such a system.
So I have had to think of another project and unfortunately again, my
dissertation supervisor wont let me change top, so I have to think of other
issues with firewalls.
Anyways, I did a search on limitations of current firewall technologies, and
one site said a common misconception is that you run a firewall and that's it,
it takes care of itself. We admins know this, firewall rules have to be added
and modified all the time to deal with new threats and policies. But it did get
me thinking that maybe someone could write a firewall that is semi-self managed.
So, my idea is, to write a client-side firewall system that can be configured
through a centrally located web interface (which has already been done) but!
interface the firewalls with an IPS/IDS system such as snort... Snort stores
alerts into a database, so, I could just write the firewalls to look at the
database and block off IPs and Ports which are shown in the alerts. Does such a
product already exist? I realise Snort and other IDS systems give off false
positives, that isn't too much of a biggie I could deal with that in the
following way:
The rules generated from the snort database will have some kind of marker, so
that admins know they were generated by snort.
If an admin takes off a firewall rule because it was a false-positive, then
the firewall will know next time it sees that alert that it was a
false-positive.
I'm also thinking that it will help admins find false-positives too... if a
user complains that he cant do something (something that is within company
policies) then you know that one of the alerts generated was a false-positive
and the IDS can be tuned.
Anyways, if you guys called tell me what you think and if there are any
firewall products out there that use IDS/IPS systems to generate rules.
Thank You
~Davie Elliott
