Great Circle Associates Firewalls
(December 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: dinamics filtering rules
From: Ted Doty <ted @ iss . net>
Date: Mon, 08 Dec 1997 17:21:23 -0500
To: firewalls @ greatcircle . com

"Craig I. Hagan" <hagan @
 cih .
 com> wrote:

>I've always wondered about things like this. are they smart and have
>multiple classes of rules: those that can't be changed, those that can be
>only added, and those that can be both added and removed? If so, do that
>handle rules that are in conflict in the sane (most secure)  way, or in a
>first/last/best seen? 

The easiest (conceptually) to understand use for dynamic filtering is to
block (sometimes called "shun") someone detected doing a known nasty
through a permitted firewall service (for example, someone trying to use
the identd buffer overflow in conjunction with email).  Not sure how
"smart" this dynamic method has to be ... more like a "Bad dog! No
biscuit!" situation.

I'd imagine that most implementations time out after a set period.  I'd
sure want operator intervention for "add but never delete".

>more imporantly, has that f*cker been QA'ed so that mr. external
>nastigator can't play games with your rules (e.g. if strobed, you start
>disabling services, leading to a rather easy DOS/irritation attack). 

A better idea might be to base the update on the source of the attack,
rather than turning the service off.  Granted, the source could be spoofed,
but you're probably only blocking a small subset of the net.  If the
spoofed address is one of your major partners, then why doesn't your
firewall run a VPN to that site?

There are layered approaches to this problem that will keep it from getting
out of hand.  Can't stop DoS attacks, tho.  As to irritation, these guys
are irritating. ;-)  

OTOH, which attacks are you more worried about?

>Also: if they alter there rules based upon log events, what happens when
>the log partition is filled up by dirty mcnasty? Does it fail to

This is an argument for external Intrusion Detection (not to mention
quicker response time, or offloading the firewall).

- Ted

Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web:
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

Indexed By Date Previous: Re: NT as a central intranet firewall
From: Stepken <stepken @ www . firmen-info . de>
Next: Re: Wingate?
From: wiseleo @ juno . com (Leonid S Knyshov)
Indexed By Thread Previous: Re: dinamics filtering rules
From: "Craig I. Hagan" <hagan @ cih . com>
Next: R: R: strong encryption for Europeans
From: "Franco RUGGIERI" <fruggieri @ selfin . net>

Search Internet Search