To all from Doug Karl.....
Well everyone seems to be talking about the latest network security
scanners and firewalls to protect against them. The current version of
KarlBridge and KarlBrouter V2.09 will already help protect against both the
Satan scans and also the deliberate attacks that may follow. (Consult the
"Security (Firewall) Setup" chapter in the documentation) for a discussion
of the configuration. For those who need additional immediate security; the
KarlBridge/Router static firewall filters can be set to block ALL incoming
Internet traffic unless a particular incoming IP address has been
"Authenticated".
This authentication can be accomplished by using the special
KarlBridge/Router Dynamic Filters in conjunction with your favorite
authentication server running Kerberos, S/Key, etc. We have a special
authentication deamon that runs on the Unix box which will then inform the
KarlBridge/Router to open a connection from a particular remote IP address
to/from another particular internal IP address. (Version 3.0 will expand
this to include both UDP or TCP ports.) Break-in attempt logs can be sent
from the KarlBridge/Router to any Unix box setup to accept SYSLOG packets.
Scanning can be detected by setting up the KarlBridge/Router to send SYSLOG
packets for each TCP establish packet.
In addition to the above features the new Version 3.0 of the
KarlBridge/Router due out for beta test at the end of the month also
includes:
1) Tighter and more extensive firewall filters.
2) Lure hosts and lure subnet support. This is the ability of the
KarlBridge/Router firewall to make an intruder think there are real hosts
in the internal network that are not actually there. These lure hosts can
be setup to trip counter measures when accessed (described in 6 below).
2) New ICMP filters. Some examples are the ability to "ping" out of the
internal network but not in. One can argue that if you stop incoming
"pings" at the boarder then some scanners can be slowed down. Also
incoming ICMP Redirects can be blocked from entering the network. This
will protect against ICMP bombs.
3) Greatly enhanced logging capability using both SYSLOG and SNMP Traps. We
log source and destination IP/UDP/TCP Port, and source and destination IP
addresses, source and destination Ethernet addresses, protocol used, and
which filter rule was violated.
4) Integrated Network Statistics monitor. The KarlBridge/Router will keep
packet and byte counts on every socket from 0 through 1023 plus 20 user defined
sockets above 1024. Packet and byte counts will be kept on each Ethernet
address and other things such as IP ARP requests and replys. Duplicate IP
address will be detected along with all hosts that have incorrectly
configured IP address masks and default gateway address (i.e. they are
attempting a Proxy ARP request). All of these statistics will be reported
via SNMP and can be displayed with the standard KarlBridge SNMP monitoring
program.
5) Application Level Packet Filters. The advantages of Application Level
Gateway is its logging ability and ability to better protect against UDP
port spoofing. They can accomplish this because they work on all 7 layers
of the OSI model. The new KarlBridge/Router will include this type of
application level filtering. We are calling it an Application Level Packet
Filter since it works on all 7 layers of the OSI model.
6) Network scanner and intruder counter measures. This is the ability of
the KarlBridge/Router to detect scanners and intruders, optionally log
their activity, and immediately and automatically deny them further access
to the internal network. This access denial applies to any particular
intruding IP address. Once an intruding IP address has been dynamically
denied the internal network will be viewed by that intruder as either a
black hole (i.e. all further attempts to communicate with the network will
be ignored) or as a whole set of Lure Hosts (i.e. every address the
intruder tries to contact will return either the appropriate ICMP message
or TCP/RST).
New versions of the PD Demo KarlBridge and complete manual can be
obtained from ftp.net.ohio-state.edu /pub/kbridge.
Please direct inquires for brochures on the commercial version to
sales @
karlnet .
com .
Existing customers of the commercial version will receive V3.0 at no
extra charge. Please send e-mail to sales @
karlnet .
com to request V3.0
when it is ready.
Wish us luck in our final stages of implementation and testing.
Thanks,
Doug Karl
Associate Director of Data Communications and Networking, Ohio State University
and President, KarlNet, Inc.
Follow-Ups:
|
|
