Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO IDS)

From:	"Timothy Jans" <timothy dot jans at pandora dot be>
To:	<Hilton at QuarkAV dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO IDS)
Date:	Sun, 22 Feb 2004 00:02:57 +0100
Thanks for the answer.

But would it not be more wise to block a flood attack at the firewall?
(limiting the number of connections per IP, etc...)
Or am I thinking wrong here?

Regards,

----- Original Message ----- 
From: "Hilton Travis" <Hilton at QuarkAV dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Saturday, February 21, 2004 11:13 PM
Subject: Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO
IDS)


> Hi Tim,
>
> On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> > What I would like to see in M0n0wall is a Portscan blocker and Anti-DoS
> > which are adjustable in the Web interface
> > (because some services have none or bad anti-DoS protection).
>
> If you choose to run an insecure service behind your firewall, then you
> are asking for trouble.  It is the job of any service to be secure - the
> firewall cannot "know" what is running behind it and implement specific
> security measures based on the application running on a particular
> server/port.  The firewall's job is to stop all traffic that you don't
> specifically allow through, so if you allow traffic to an internal DMZ
> or LAN server, then it is your job, and the job of the server itself, to
> ensure that it is secure.
>
> As for a portscan blocker, this is unnecessary.  Portscanning a network
> is not illegal.  Portscanning a network can cause no damage if you have
> a secure network only allowing required traffic in, and if you are
> running secured servers internally that are listening for this traffic.
>
> > I do not mean a IDS like Snort because they do not actually belong in a
> > firewall.
> > (are too heavy (embedded systems), are too complicated (bugs) and I do
not
> > actually beleave in them...)
>
> I don't see how you cannot believe in a legitimate security tool such as
> an IDS yet want illegitimate "tools" such as anti-DOS and
> portscan-blocker features in a firewall.
>
> As you hinted at, running any unnecessary services on a firewall is
> asking for trouble.  This is half the reason there's no snort (or other
> IDS) on m0n0wall - the other reason is that this is an inappropriate
> place for such a tool - inside the firewall is where these belong.
> Adding these esoteric functions you asked about to m0n0wall will do
> close to nothing for your security, will add to the code-base on the
> firewall (therefore add to its susceptability to vulnerability), and add
> to the load the firewall places on its hardware.  None of these are
> advantages.
>
> -- 
>
> Regards,
>
> Hilton Travis                   Phone: +61-(0)7-3343-3889
> Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
>          Quark Computers         http://www.QuarkAV.com/
> (Brisbane, Australia)            http://www.QuarkAV.net/
>
> Open Source Projects: http://www.ares-desktop.org/
> http://www.mamboband.org/
>
> Non Linear Video Editing Solutions & Digital Audio Workstations
>  Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>   Conference and Seminar AudioVisual Production and Recording
>
> War doesn't determine who is right. War determines who is left.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>