[Snort-users] Using Snort code base to make an intelligent fi rewall

Gregor Binder gbinder at ...462...
Thu Nov 23 21:22:10 EST 2000

Mark Cooper on Thu, Nov 23, 2000 at 12:31:29PM -0000:


> True, classic firewalling runs on a policy of "deny everything except that
> which is explicitly allowed". NIDS typically runs on a policy of "ignore
> everything except that which is explicitly listed". By combining f/w and
> IDS, we can use *both* policies to the greater good. I see it working thus:

I think that IDS and firewall neither should, nor have to be integra-
ted that tightly with each other, and you can still have improved
security by having both of those technologies interacting with each

People familiar with Firewall-1 might have heard of SAMP, and I think
this is about the right way to go. Needless to say that something that
could be developed without proprietary libraries and SDKs would be a
lot better.
Those who don't know SAMP, this is the "Suspicious Activity Monitoring
Protocol" which was invented by Checkpoint to provide a way for IDS's
to instruct Firewall-1 to block further connections from offenders.

For all but the smallest installations, I would always want the IDS to
be on a different machine than the gateway, and if they are
communicating using something like SAMP, I can do this as well as have
them on the same machine. This would also scale better.

If people here are interested in investigating the possibility of
integrating several components of security, looking at the OPSEC
inventions from Checkpoint is a good idea (http://www.opsec.com/).


Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482

More information about the Snort-users mailing list