snort does not do anything like he was asking. snort is a very good basic
ids. he is looking at stopping packets, not just logging strange packets(or
attacks).(same goes with the mention of ethereal before).

windows 2000 offers some sembelance of what you are looking for. look into
the IP security policy for your machine. The rulesets allowed can be pretty
much as complex as you need in a simple packet filtering situation.

nt4 offers a very very very limited version of this.

packet filtering has the distinct advantage of being able to stop a packet
from actually ever getting to the natural IP stack. a good packet filter
will just drop packets. a closed port will elicit a RST(or other
appropriate behavior). The difference is this: 1. a packet filter drops
packets and doesn't respond, a closed port accepts packets and then
responds. A decent packet filter also allows the ability to log hits to
specific filtered ports, and if the filter doesn't suck, even stop strange
packets(with options|flags|certain bits set), even on an open port,
hopefully protecting not just closed ports, but open ports too.

With proper firewall rules (and a sane network layout), a secured dmz
shouldn't really need packet filters, but layers are always a good idea,
since you may leave a rule open on one or the other for testing and forget
to set it again.

good luck with your specific situation, i hope the builtin filters work for
you.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "H C" <keydet89YAHOO.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Tuesday, April 10, 2001 1:11 PM
Subject: Re: 2K/NT packet filter recommendations?

> You might want to look at snort for this. snort runs
> very well on NT, thanks to Mike Davis.
>
> However, what I don't see is why you would want packet
> filtering. Why not simply disable whichever service
> is listening on that ports you want to close? Or are
> you looking for a method of auditing and logging?
>
> I seem to remember (don't quote me, I'm not at my home
> computer) that you can designate which interface snort
> is supposed to bind to...which gives you your
> multiple-NIC functionality.
>
>
>
> --- John Girvin <john.girvinOSARIUS.COM> wrote:
> > Hi,
> >
> > I'd like to add packet filters to my NT/2K server
> > boxes as a second
> > line of defence behind the main firewall.
> >
> > Some of the boxes have more than one NIC and I'd
> > like/need to be able
> > to configure different filter rules for each
> > separately. Packet logging
> > would be a bonus too.
> >
> > This needs to be done on a zero/tight budget so Ive
> > been looking around
> > the "personal firewall" class of product, but
> > nothing Ive come across so
> > far can do the multiple-NIC trick.
> >
> > So I'm looking for suggestions ... can anyone
> > recommend a free/cheap
> > packet filter that supports multiple NICs ?
> >
> > Thanks,
> > /John
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]