[Snort-users] Using Snort code base to make an intelligent fi rewall

Mark Cooper Mark.Cooper at ...837...
Thu Nov 23 07:31:29 EST 2000


Sticking my neck *way* out, I think that some people may be missing one of
the benefits of combining IDS and firewalling in one package.

True, classic firewalling runs on a policy of "deny everything except that
which is explicitly allowed". NIDS typically runs on a policy of "ignore
everything except that which is explicitly listed". By combining f/w and
IDS, we can use *both* policies to the greater good. I see it working thus:

The firewalling "layer" (lets not get too hung up on terminology) provides
the normal packet filtering. So, for a trivial example, it would allow web
traffic in to our servers. However, all traffic that is allowed by the
firewall layer would be passed via the IDS layer. It examines that traffic,
say for dodgy CGI script probes, and drops that connection *only*, by
sending a RST to *our* server. I think that this combination should prevent
both an externally triggered DoS against our systems, and, as aleady
suggested in this thread, will prevent us performing a RST-based DoS against
other hosts.

Just my random tuppence.

Mark Cooper (GCIA)

Mark.Cooper at ...839...

Any views or opinions presented are solely those of the author and do not
necessarily represent those of Rubus.

More information about the Snort-users mailing list