[ previous ] [ next ] [ threads ]
 
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (but NO IDS)
 Date:  Sun, 22 Feb 2004 08:13:33 +1000 
Hi Tim,

On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> What I would like to see in M0n0wall is a Portscan blocker and Anti-DoS
> which are adjustable in the Web interface
> (because some services have none or bad anti-DoS protection).

If you choose to run an insecure service behind your firewall, then you
are asking for trouble.  It is the job of any service to be secure - the
firewall cannot "know" what is running behind it and implement specific
security measures based on the application running on a particular
server/port.  The firewall's job is to stop all traffic that you don't
specifically allow through, so if you allow traffic to an internal DMZ
or LAN server, then it is your job, and the job of the server itself, to
ensure that it is secure.

As for a portscan blocker, this is unnecessary.  Portscanning a network
is not illegal.  Portscanning a network can cause no damage if you have
a secure network only allowing required traffic in, and if you are
running secured servers internally that are listening for this traffic.

> I do not mean a IDS like Snort because they do not actually belong in a
> firewall.
> (are too heavy (embedded systems), are too complicated (bugs) and I do not
> actually beleave in them...)

I don't see how you cannot believe in a legitimate security tool such as
an IDS yet want illegitimate "tools" such as anti-DOS and
portscan-blocker features in a firewall.

As you hinted at, running any unnecessary services on a firewall is
asking for trouble.  This is half the reason there's no snort (or other
IDS) on m0n0wall - the other reason is that this is an inappropriate
place for such a tool - inside the firewall is where these belong. 
Adding these esoteric functions you asked about to m0n0wall will do
close to nothing for your security, will add to the code-base on the
firewall (therefore add to its susceptability to vulnerability), and add
to the load the firewall places on its hardware.  None of these are
advantages.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.