firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: a cutting-edge open-source network security project
(travis+ml-firewalls@subspacefield.org)
----------------------------------------------------------------------
Message: 1
Date: Fri, 7 May 2010 15:31:12 -0700
From: travis+ml-firewalls@subspacefield.org
Subject: Re: [fw-wiz] a cutting-edge open-source network security
project
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100507223112.GB32447@subspacefield.org>
Content-Type: text/plain; charset="us-ascii"
On Wed, May 05, 2010 at 11:39:40PM -0500, Frank Knobbe wrote:
> On Sun, 2010-05-02 at 15:48 -0700, travis+ml-firewalls@subspacefield.org
> wrote:
> > [...] Another idea is to "federate" against attacks, so that when your IDS
> > (say, snort) detects an attack from an external entity, you block that
> > entity at multiple locations (each of which run DFD, but which may run
> > entirely different OSes and firewalls). This hasn't been implemented
> > but could prove itself rapidly useful (if engineered carefully).
>
> When you say "this hasn't been implemented", are you referring to DFD?
Well, yes, I mean I haven't implemented a distributed blocking fabric
with DFD.
> I'm just asking because this approach has been around for a while.
> Snortsam is now nearly a decade old and uses the approach of you call
> "federated" defense, which I call "distributed blocking fabric".
> (Snortsam receives block requests from one or more Snort instances and
> blocks on one of more firewalls, or forwards the request to other
> Snortsam instances). And I can attest that this approach works extremely
> well (detect once, protect many).
I see. I had heard the name snortsam and looking at it, it seems to have
similar goals.
One might characterize these in two ways:
snortsam can block IPs on multiple firewalls
DFD can implement any rule changes on any firewall
> Snortsam as it stands just works :) and 2) we're enumerating so many
> hostile IP's (even if only blocked for periods of time) that traditional
> firewalls can no longer handle the load.
Yeah, I discuss some other options in the DFD paper:
http://www.subspacefield.org/security/dfd/#tth_sEc7
You'll note I've also linked to snortsam as related work.
> Which led me to the development
> of a new firewall module that, coupled with a database driven management
> framework, can now handle transient shunning of millions of IP
> addresses. I almost completed my migration from Snortsam to the new
> framework.
Interesting. What firewall is it for? iptables?
Pf has something called tables that are supposed to be relatively
dense IP sets. Not sure if it would scale to your site's size though;
just a possibility.
> Anyway, it looks like your DFD has a couple interesting features (for
> example, the dynamic NAT stuff).
One thing I'd like to do is design a secure protocol for telling the
NAT device to do port forwarding, so that when an app fires up it
can securely send a structured file that does port forwarding. I ran
into this when trying to play Civ IV online behind a strict firewall;
I had to google for port numbers and so on, and never finished testing
to make sure I had it right. Very user-unfriendly.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100507/c171d259/attachment-0001.pgp>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 49, Issue 5
***********************************************
No comments:
Post a Comment