bmcMITRE.ORG

• Next message: Dragos Ruiu: "Re: False Sense of Security?"
• Previous message: Bennett Todd: "Re: False Sense of Security?"
• In reply to: Frank Knobbe: "Re: False Sense of Security?"
• Next in thread: Dragos Ruiu: "Re: False Sense of Security?"
• Next in thread: Bennett Todd: "Re: False Sense of Security?"
• Reply: Brian Caswell: "Re: False Sense of Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Frank Knobbe wrote:

> That depends. You can have _your systems_ react to it. For example,
> I'm running snort as an IDS inside the network and as an ADS in front
> of the firewall. Any source that tries something that they shouldn't
> (i.e. simply portscan) will trigger an event that automatically
> reconfigures the firewall so that the source is completely blocked
> for a specified time.

I would not with that policy unless you are willing to deal with being
cut
off from the rest of the world. Spoofing scans is quite old hat. What
is
to prevent someone from spoofing ftp.yourvendor.com, your.clients.com,
and windowsupdate.microsoft.com and cut your network off from those
places?

Not much.

Someone with enough time could slowly cut you off from everything.
Well.... Everything except China, since China will be blocked on its
own. :P

While a big red button blinking "FIREWALL THE EVIL HACKERS" is a
nice thing to have sometimes, doing it automaticly is not always the
best idea.
I would suggest alerting a human, and letting the human decide if
firewalling
the source of the attack is a good idea.

--
Brian Caswell
The MITRE Corporation

• Next message: Dragos Ruiu: "Re: False Sense of Security?"
• Previous message: Bennett Todd: "Re: False Sense of Security?"
• In reply to: Frank Knobbe: "Re: False Sense of Security?"
• Next in thread: Dragos Ruiu: "Re: False Sense of Security?"
• Next in thread: Bennett Todd: "Re: False Sense of Security?"
• Reply: Brian Caswell: "Re: False Sense of Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]