|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
FW MIB - was: How do you fight an attack in progress?
GEIS (Adam.Safier
geis.ge.com)
Tue, 23 Sep 1997 20:04:18 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Wyllys Ingersoll: "Re: executable content"
- Previous message: dnewmanMcGraw-Hill.com: "executable content"
- Next in thread: Paul Sangster: "Re: FW MIB - was: How do you fight an attack in progress?"
- Reply: Paul Sangster: "Re: FW MIB - was: How do you fight an attack in progress?"
The firewall MIB thing didn't go far due to my lack of time, minor show
of interest and few contributions. Besides, an IETF group tackled the
job of defining a general purpose management MIB and even scripting
standards to go with it. Alas, every one of their drafts that I managed
to look at so far simply says "this document does not address security".
As a nod to security the agreed upon transport was (?) SNMPv2. I really
should take a day to catch up on their activity, and then take a minute
to post to their mailing list and bitch.
Question, would adding an MD5 hash/signature to each packet create huge
amounts of processor overhead? My understanding is MD5 or signatures
are generally low cost.
Currently at least some firewalls send SNMP traps as part of an alarm
situation. Those could trigger action scripts in the management
systems. The problem is defining all the actions you want the system to
start taking and gluing all the finger/trace modules on different
systems together. Some AI log analysis would be nice. Some network
management systems now have programmable agents on remote hosts. You
might be able to set those up to launch higher-processing-cost
custom-written intrusion-monitors when they get SNMP commands from the
central system.
Adam
---------------
Adam Safier, Network Engineer/Security Consultant
GE Information Services, Inc.
401 North Washington St., Rockville, Md. 20850
Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005
Adam.Safiergeis.ge.com http://www.geis.com
I'm proud to live in a country where I can express my personal opinions.
The opinions above may not be shared by my employer.
---------------
> -----Original Message-----
> From: John Lines [SMTP:John.Linesaeat.co.uk]
> Sent: Tuesday, September 23, 1997 9:24 AM
> To: firewall-wizardsnfr.net
> Subject: Re: How do you fight an attack in progress?
>
....
> While on the topic of alerts - there was discussion of a Firewalls MIB
> on
> the firewalls list quite a long time ago - did anything come of it ?
> Many organisations have an existing alerting structure to handle on
> call
> support people, duty incident managers etc, often based around an SNMP
> system.
> (In the context of this thread I am not sure how useful a Firewalls
> MIB can
> be for conveying the full alarm state of the firewall, as to write a
> MIB you
> must decide in advance what the full set of alarm conditions might be.
> When this was last being discussed there was no need for an alarm for
> "Content Vectoring Protocol scanner has discovered an Internet
> Explorer exploit
> in some web page"
>
>
> John Lines
>
- Next message: Wyllys Ingersoll: "Re: executable content"
- Previous message: dnewmanMcGraw-Hill.com: "executable content"
- Next in thread: Paul Sangster: "Re: FW MIB - was: How do you fight an attack in progress?"
- Reply: Paul Sangster: "Re: FW MIB - was: How do you fight an attack in progress?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT