Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO IDS)

From:	Hilton Travis <Hilton at QuarkAV dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO IDS)
Date:	Sun, 22 Feb 2004 09:34:11 +1000
On Sun, 2004-02-22 at 09:02, Timothy Jans wrote:
> From: "Hilton Travis" <Hilton at QuarkAV dot com>
> > Hi Tim,
> >
> > On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> > > What I would like to see in M0n0wall is a Portscan blocker and 
> > > Anti-DoS which are adjustable in the Web interface
> > > (because some services have none or bad anti-DoS protection).
> >
> > If you choose to run an insecure service behind your firewall, then 
> > you are asking for trouble.  It is the job of any service to be 
> > secure - the firewall cannot "know" what is running behind it and 
> > implement specific security measures based on the application 
> > running on a particular server/port.  The firewall's job is to stop 
> > all traffic that you don't specifically allow through, so if you 
> > allow traffic to an internal DMZ or LAN server, then it is your job, 
> > and the job of the server itself, to ensure that it is secure.
> >
> > As for a portscan blocker, this is unnecessary.  Portscanning a 
> > network is not illegal.  Portscanning a network can cause no damage 
> > if you have a secure network only allowing required traffic in, and 
> > if you are running secured servers internally that are listening 
> > for this traffic.
> >
> > > I do not mean a IDS like Snort because they do not actually belong
> > > in a firewall.
> > > (are too heavy (embedded systems), are too complicated (bugs) and 
> > > I do not actually beleave in them...)
> >
> > I don't see how you cannot believe in a legitimate security tool 
> > such as an IDS yet want illegitimate "tools" such as anti-DOS and
> > portscan-blocker features in a firewall.
> >
> > As you hinted at, running any unnecessary services on a firewall is
> > asking for trouble.  This is half the reason there's no snort (or 
> > other IDS) on m0n0wall - the other reason is that this is an 
> > inappropriate place for such a tool - inside the firewall is where 
> > these belong.  Adding these esoteric functions you asked about to 
> > m0n0wall will do close to nothing for your security, will add to 
> > the code-base on the firewall (therefore add to its susceptability 
> > to vulnerability), and add to the load the firewall places on its 
> > hardware.  None of these are advantages.

> Thanks for the answer.
> But would it not be more wise to block a flood attack at the firewall?
> (limiting the number of connections per IP, etc...)
> Or am I thinking wrong here?

There is no possible way to limit the number of connection attempts per
IP at the firewall.  For the firewall to be able to detect a connection
attempt, the connection attempt has to actually make it to the
firerwall.  The traffic has already reached your network, and the
bandwidth is already used.  Therefore, blocking DDoS attacks (or flood
attacks) at a firewall on your network is entirely ineffective.  To be
effective, they need to be blocked at (or preferably before) your ISP.

As I mentioned before, it is not the firewall's job to know what
services you are running internally, it is the firewall's job to block
all traffic that you have not specifically allowed through to your
DMZ/LAN.  It is the job of the server to determine what sort of traffic
is appropriate to accept, not the firewall.  I can run any service I
like on any port I choose.  Some require many connection attempts, some
require few.  Yet others require none.  For a firewall to keep track of
all this additional information and also they types of connection
requests would place a load on the firewall beyond what most m0n0wall
hardware could handle.  You'd need a P4 for your firewall, not a
Pentium.  Also, the process would not truly be effective, as any changes
to the server - upgated, bug fixes, etc - may mean that you now need to
reconfigure the firewall for that particular port/service, increasing
the complexity of your network, therefore increasing the likelihood that
something gets configured incorrectly and breaks.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.