Hello,
I
guess it's time for me to ask my
first question - we're looking to
purchase new firewall to replace our POS SonicWALL DMZ. I am looking for something more powerful,
that can handle more connections, do stateful protocol inspection on both packet and application level, packet
filtering, VPN-to-VPN tunneling,
DNS/DHCP hosting and few other
things.
Most importantly, I am looking for an ability to create custom
response rules based on certain triggers
- for example, set a trigger that if HTTP
traffic contains GET CMD.EXE/ROOT.EXE/DEFAULT.IDA request, then a pre-defined rule gets executed, dynamically
disabling access for the
attacker.
In other words, I need something little
more intelligent then an alert
saying that following IP address is port scanning our network or
DDOSing the living hell of our perimeter
routers. For example, just last month I
was facing the only option of
rebooting our firewall every 2 hours because it cannot handle more
than 3200
connections and we're being flooded by HTTP GET requests originating
from NIMDA/CodeRed infected machines all
over the world. And this is not
acceptable.
I know
that all of this can be achieved by using multiple techniques and products (Snort, Ethereal etc) allied
together but I was really hoping to find
a unified solution that will handle most of these tasks. Kind of like Firewall+IDS combo in one
box..
Is this even possible or
am I dreaming?
Thanks in advance for
your help!
Dimitri
P.S. Right now my only candidate is Nokia's Firewall
(based on Checkpoint Firewall-1) bundled with Nokia's IDS module (based on
ISS' RealScecure).
