[Snort-users] Using Snort code base to make an intelligent firewall

jeff at ...430... jeff at ...430...
Tue Nov 21 18:00:26 EST 2000


Hi Steve,

Excellent message and a hotpoint in security these days.  I'd like to preceed
my reply with "this is a cool idea, but very trick to do correctly".  

The real problem with technology like this, is the fact that IPv4 makes source
spoofing so easy.  With so many scanning/DoS tools utilizing decoy source 
addresses or just flat out spoofed source addresses in the case of DoS tools, 
a network exposes itself from being the actual _cause_ of a DoS.  If, for 
example, someone uses nmap to scan your host/network and source spoofs the
address of say your upstream gateway, a.root-servers.net, your local loopback
or any similar hosts, you begin to see the danger here when your firewall or
other reactive technology starts blocking hosts automatically.  Worse yet,
what if they source spoof the address of any one of your anti-spam sendmail
databases, large blocks of customer IP addresses or something similarly 
dangerous?

It gets to be somewhat hairy...

Just my two cents.

-Jeff

> Apologies for being a bit off topic.
> 
> I'm sure I'm not the only person to have thought of this?!
> 
> If you have ever worked with stealth firewalls such as
> SUNs Sunscreen or Lucent 'the brick' you might have thought
> 'shit, these things are expensive! maybe they need to have
> some open source competition'
> (These tend to run with 2 or more interfaces in un-addressable
> promisc mode, and an addressable admin interface, as a pseudo
> gateway)
> 
> The other thing about these expensive firewalls, is although
> they know how to do VPN's etc etc, they are not very intelligent
> and block every thing that isn't in their rules list (quite a
> good thing for a firewall).
> 
> But, why not have an intelligent firewall that doesn't explicitly
> block everything (unless you tell it to), but will block anything
> that looks like it is suspicious (ALA IDS rolled into a firewall).
> This would allow Joe normal user through without any explicit rule.
> 
> Obviously, this type of firewall would best run as a 'quiet'
> external firewall with a normal firewall inside.
> 
> Anyone thought about this or working on something similar?
> Do people think this is a crap idea?
> 
> The reason I am mentioning this idea, is that I had it some
> time ago, and haven't had the time to do anything with it.
> 
> Steve 'I'll creep back into my hole now' Hutchins
> =========================================================
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 


-- 
http://jeff.wwti.com	 	(pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein 



More information about the Snort-users mailing list