-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Yuan
Sent: Tuesday, October 30, 2001 12:26 PM
To: Dimitri Limanovski; '[EMAIL PROTECTED]'
Subject: Re: Looking for Firewall AdviceYes, you are on the right track with ISS and Check Point combination. I don't know anyone else that can offer such a flexibility on detecting and shutting down warm attacks. You can either use the build-in Security Server (a proxy like FW inside FW-1) to trim out *.ida and *.exe in your http connections; or you can use ISS to detect the attack and shut down the connection automatically.
Here is something you can argue with me:
-Even in therory you can, but I would NEVER put a FW and a IDS together. Network based IDS simply takes way too much CPU resource, you don't want to have it slow down your FW engines.
-If you were to use Check Point, you should bump up your max connection parameter (configurable) to prevent a flood of future attacks.Jason
Dimitri Limanovski <[EMAIL PROTECTED]> wrote:
Hello,
I guess it's time for me to ask my first question - we're looking to purchase new firewall to replace our POS SonicWALL DMZ. I am looking for something more powerful, that can handle more connections, do stateful protocol inspection on both packet and application level, packet filtering, VPN-to-VPN tunneling, DNS/DHCP hosting and few other things.
Most importantly, I am looking for an ability to create custom response rules based on certain triggers - for example, set a trigger that if HTTP traffic contains GET CMD.EXE/ROOT.EXE/DEFAULT.IDA request, then a pre-defined rule gets executed, dynamically disabling access for the attacker.
In other words, I need something little more intelligent then an alert saying that following IP address is port scanning our network or DDOSing the living hell of our perimeter routers. For example, just last month I was facing the only option of rebooting our firewall every 2 hours because it cannot handle more than 3200 connections and we're being flooded by HTTP GET requests originating from NIMDA/CodeRed infected machines all over the world. And this is not acceptable.
I know that all of this can be achieved by using multiple techniques and products (Snort, Ethereal etc) allied together but I was really hoping to find a unified solution that will handle most of these tasks. Kind of like Firewall+IDS combo in one box..Is this even possible or am I dreaming?
Thanks in advance for your help!Dimitri
P.S. Right now my only candidate is Nokia's Firewall (based on Checkpoint Firewall-1) bundled with Nokia's IDS module (based on ISS' RealScecure).
Jason Yuan
Security Consultant
Niles Associates
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
Netscreen now has a http url signature feature and is
integrating with Snort based IDS devices.
- Looking for Firewall Advice Dimitri Limanovski
- Re: Looking for Firewall Advice Michael Sorbera, Webmaster
- Joe Vasquez
