Firewalls: Re: Detecting failures

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Detecting failures
From:	"David P. Kemp" <dpkemp @ afterlife . ncsc . mil>
Date:	Thu, 6 Apr 1995 22:03:18 -0400
To:	firewalls @ greatcircle . com
In-reply-to:	<9504051817 . AA17496 @ uvs1 . orl . mmc . com>

>>Matt rites:
>>>Since this router has some filtering capabilities, I won't even
>>>be able to see any attacks that don't make it through the router.  Do I
>>>care?  Not really, I just want to know what does make it through.

If the router has some filtering capabilities, perhaps it also has
the ability to log packets that are rejected?  If so, you could
have some warning of an attack without letting any of the nasties
inside.

Padgett's favorite architecture may be a "minefield" of PCs, each
one looking for a single bad address, but a more effective solution
is to simply have the router alarm every invalid destination address
in your net (as well as things like source addresses that belong to
you coming from the outside, etc).

If your current router doesn't have a filter language that supports
alarms, packet logs, and per-interface address checking, maybe your
next one will :-).

References:

Re: Detecting failures
From: matt @ zilker . net

Indexed By Date	Previous:	Re: SATAN on Solaris From: matt @ uts . EDU . AU (Jas (Matthew K))
Indexed By Date	Next:	Re: Systematic Nature of SATAN From: James Seng <jseng @ darwin . technet . sg>
Indexed By Thread	Previous:	Re: Detecting failures From: matt @ zilker . net
Indexed By Thread	Next:	re: Detecting Failures From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)