Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: RE: IDS: Combining IDS and firewalls

RE: IDS: Combining IDS and firewalls

Jeff Oliver (jeffnetsentry.net)
Mon, 13 Sep 1999 09:15:16 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jonas Eriksson: "Re: IDS: SV: Combining IDS and firewalls"
Previous message: Lisbon: "IDS: You can read, its not a Pizza story ..."

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- Hi,

We've been testing Abacus PortSentry. http://www.psionic.com

This app sits on a firewall and works in conjunction with TCP Wrappers and IPChains.

You can set the ports it listens and broadcasts on. Ports appear to be open to an initial port scan, thus piquing the crackers interest. A second scan on the designated ports monitored by Sentry will result in the source IP being assigned a deny rule in IP chains, thus (temporarily, at least) blocking access to the IP of the firewall. It can do UDP as well.

It has side effects - knob employees who like to run port scans and the like on the DMZ find they are able to block the internal subnets from going through the firewall entirely, although the usual TCP wrappers use of hosts.deny and hosts.allow can fix this. I didn't allow our internal subnet to prevent spoofed IP's.

It's Open Source (as I recall) and is updated frequently. Can cause slight problems if you aren't running a web proxy.

-----Original Message----- From: owner-idsuow.edu.au [mailto:owner-idsuow.edu.au]On Behalf Of CyberPsychotic Sent: Sunday, September 12, 1999 10:04 AM To: Bill Royds Cc: List IDS Subject: Re: IDS: Combining IDS and firewalls

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owneruow.edu.au NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au ---------------------------------------------------------------------------

---
~
~   Has anyone any experience in combining firewalls with IDS? Several
~ commercial Intrusion Detection systems can generate new firewall rules
~ on the fly to block the possible intrusion. Has anyone used this and
~ has had good or bad experience with it?

Next message: Jonas Eriksson: "Re: IDS: SV: Combining IDS and firewalls"
Previous message: Lisbon: "IDS: You can read, its not a Pizza story ..."

This archive was generated by hypermail 2.0b3 on Tue Sep 14 1999 - 00:20:03 CDT