Hello,
I guess
it's time for me to ask my
first question - we're looking to
purchase new firewall to replace our POS SonicWALL DMZ. I am looking for something more powerful, that
can handle more connections, do stateful protocol inspection on both packet and application level, packet
filtering, VPN-to-VPN tunneling,
DNS/DHCP hosting and few other
things.
Most importantly, I am looking for an ability to create custom
response rules based on certain triggers -
for example, set a trigger that if HTTP
traffic contains GET CMD.EXE/ROOT.EXE/DEFAULT.IDA request, then a pre-defined rule gets executed, dynamically
disabling access for the
attacker.
In other words, I need something little
more intelligent then an alert
saying that following IP address is port scanning our network or
DDOSing the
living hell of our perimeter routers. For example, just last month I was facing the
only option of rebooting our
firewall every 2 hours because it cannot handle more than 3200
connections and we're being flooded by HTTP GET requests originating
from NIMDA/CodeRed infected machines all
over the world. And this is not
acceptable.
I know that all of this can be achieved by using
multiple techniques and products (Snort,
Ethereal etc) allied together but I was really hoping to find a unified solution that will handle most
of these tasks. Kind of like Firewall+IDS combo
in one box..
Is this even possible or am
I dreaming?
Thanks in advance for your
help!
Dimitri
P.S. Right now my only candidate is Nokia's Firewall
(based on Checkpoint Firewall-1) bundled with Nokia's IDS module (based on ISS'
RealScecure).
