firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: a cutting-edge open-source network security project
(Frank Knobbe)
----------------------------------------------------------------------
Message: 1
Date: Wed, 05 May 2010 23:39:40 -0500
From: Frank Knobbe <frank@knobbe.us>
Subject: Re: [fw-wiz] a cutting-edge open-source network security
project
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1273120780.52940.97.camel@localhost>
Content-Type: text/plain; charset="iso-8859-1"
On Sun, 2010-05-02 at 15:48 -0700, travis+ml-firewalls@subspacefield.org
wrote:
> [...] Another idea is to "federate" against attacks, so that when your IDS
> (say, snort) detects an attack from an external entity, you block that
> entity at multiple locations (each of which run DFD, but which may run
> entirely different OSes and firewalls). This hasn't been implemented
> but could prove itself rapidly useful (if engineered carefully).
When you say "this hasn't been implemented", are you referring to DFD?
I'm just asking because this approach has been around for a while.
Snortsam is now nearly a decade old and uses the approach of you call
"federated" defense, which I call "distributed blocking fabric".
(Snortsam receives block requests from one or more Snort instances and
blocks on one of more firewalls, or forwards the request to other
Snortsam instances). And I can attest that this approach works extremely
well (detect once, protect many).
So well so, that I stopped development on Snortsam for two reasons. 1)
Snortsam as it stands just works :) and 2) we're enumerating so many
hostile IP's (even if only blocked for periods of time) that traditional
firewalls can no longer handle the load. Which led me to the development
of a new firewall module that, coupled with a database driven management
framework, can now handle transient shunning of millions of IP
addresses. I almost completed my migration from Snortsam to the new
framework.
Anyway, it looks like your DFD has a couple interesting features (for
example, the dynamic NAT stuff).
BTW: I'm starting a block-peering project for the exchange of hostile IP
block information. If you are interested in exchanging hostile IP
information, contact me off-list.
Cheers,
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: This is a digitally signed message part
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100505/fdb17ef9/attachment-0001.pgp>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 49, Issue 3
***********************************************
No comments:
Post a Comment