[Snort-users] Using Snort code base to make an intelligent firewall

Martin F Roesch roesch at ...421...
Tue Nov 21 21:16:23 EST 2000


What you guys are talking about is being called a "Gateway IDS" (GIDS)
these days.  The concept is that the IDS becomes the access control
device, much like a standard firewall and decides what packets to pass
on to the defended network and which ones to drop.  This allows the IDS
to determine when it allows traffic through based on its ability to
recognize what's going on.  

This is a nice way of handling things because the GIDS becomes much more
difficult to spoof/evade/insert bacause it doesn't pass on traffic it
can't analyze.  Additionally, it can be set up to automatically block
attack attempts it sees and do a variety of other access control jobs. 

I've heard several people in the IDS industry talk about such things,
but I haven't heard of one being implemented.  If we wanted to implement
one, we'd have to develop the low level firewalling code and then put a
decision/detection engine on top of it to do packet/protocol level
analysis.  A prototype implementation could probably be put together by
combining something like Snort and ipfilter or ipchains.  Anyone want to
take a stab at it? ;)

     -Marty

Steve Hutchins wrote:
> 
> Apologies for being a bit off topic.
> 
> I'm sure I'm not the only person to have thought of this?!
> 
> If you have ever worked with stealth firewalls such as
> SUNs Sunscreen or Lucent 'the brick' you might have thought
> 'shit, these things are expensive! maybe they need to have
> some open source competition'
> (These tend to run with 2 or more interfaces in un-addressable
> promisc mode, and an addressable admin interface, as a pseudo
> gateway)
> 
> The other thing about these expensive firewalls, is although
> they know how to do VPN's etc etc, they are not very intelligent
> and block every thing that isn't in their rules list (quite a
> good thing for a firewall).
> 
> But, why not have an intelligent firewall that doesn't explicitly
> block everything (unless you tell it to), but will block anything
> that looks like it is suspicious (ALA IDS rolled into a firewall).
> This would allow Joe normal user through without any explicit rule.
> 
> Obviously, this type of firewall would best run as a 'quiet'
> external firewall with a normal firewall inside.
> 
> Anyone thought about this or working on something similar?
> Do people think this is a crap idea?
> 
> The reason I am mentioning this idea, is that I had it some
> time ago, and haven't had the time to do anything with it.
> 
> Steve 'I'll creep back into my hole now' Hutchins
> =========================================================
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list