[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Timothy Jans'" <timothy dot jans at pandora dot be>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature Request : Portscan block and Anti-DoS (butNO IDS)
 Date:  Sat, 21 Feb 2004 17:52:53 -0600
In my opinion, whether or not something is legal doesn't necessarily
mean I want to ALLOW it on my network.  I could give several examples
here, but I think we understand this.

Now, I personally like the idea of protecting against port scans.
Whether or not it's illegal, I don't care to let anyone know WHAT ports
I have open.  Even if I'm as safe as possible, someone running a port
scan "across the board" to find that I have port 3245 open as a web port
and they have a new web vuln for apache 2.whateverihave then this could
sufficiently protect me.  (Assuming that the portscan block has engaged
prior to the scanner trying port 3245.)

Secondly, the "Anti DoS" idea to me is not anywhere near as important,
as a true DoS can't really be blocked.  Maybe this could help however.
(I think about potential kernel panics etc from certain (unknown to us
as of now) vulns.

Since these kinds of things can't be provided internally to the network
and I believe fall under the definition of firewall as found via
google's web def -
<firewall_def>
A firewall is a set of related programs, located at a network gateway
server, that protects the resources of a private network from users from
other networks. Basically, a firewall, working closely with a router
program, filters all network packets to determine whether to forward
them toward their destination. A firewall is often installed away from
the rest of the network so that no incoming request can get directly at
private network resources. There are a number of firewall screening
methods. A simple one is to screen requests to make sure they come from
acceptable (previously identified) domain names and IP addresses. For
mobile users, firewalls allow remote access in to the private network by
the use of secure logon procedures and authentication certificates.
</firewall_def>

I'm actually for them.

However - it still must match the current setup: simple, small and
efficient would be a good start, and then it must match Manuel's purpose
too.

Brandon

> -----Original Message-----
> From: Timothy Jans [mailto:timothy dot jans at pandora dot be]
> Sent: Saturday, February 21, 2004 5:03 PM
> To: Hilton at QuarkAV dot com; m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS
> (butNO IDS)
> 
> Thanks for the answer.
> 
> But would it not be more wise to block a flood attack at the firewall?
> (limiting the number of connections per IP, etc...)
> Or am I thinking wrong here?
> 
> Regards,
> 
> ----- Original Message -----
> From: "Hilton Travis" <Hilton at QuarkAV dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Saturday, February 21, 2004 11:13 PM
> Subject: Re: [m0n0wall] Feature Request : Portscan block and Anti-DoS
> (butNO
> IDS)
> 
> 
> > Hi Tim,
> >
> > On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> > > What I would like to see in M0n0wall is a Portscan blocker and
Anti-
> DoS
> > > which are adjustable in the Web interface
> > > (because some services have none or bad anti-DoS protection).
> >
> > If you choose to run an insecure service behind your firewall, then
you
> > are asking for trouble.  It is the job of any service to be secure -
the
> > firewall cannot "know" what is running behind it and implement
specific
> > security measures based on the application running on a particular
> > server/port.  The firewall's job is to stop all traffic that you
don't
> > specifically allow through, so if you allow traffic to an internal
DMZ
> > or LAN server, then it is your job, and the job of the server
itself, to
> > ensure that it is secure.
> >
> > As for a portscan blocker, this is unnecessary.  Portscanning a
network
> > is not illegal.  Portscanning a network can cause no damage if you
have
> > a secure network only allowing required traffic in, and if you are
> > running secured servers internally that are listening for this
traffic.
> >
> > > I do not mean a IDS like Snort because they do not actually belong
in
> a
> > > firewall.
> > > (are too heavy (embedded systems), are too complicated (bugs) and
I do
> not
> > > actually beleave in them...)
> >
> > I don't see how you cannot believe in a legitimate security tool
such as
> > an IDS yet want illegitimate "tools" such as anti-DOS and
> > portscan-blocker features in a firewall.
> >
> > As you hinted at, running any unnecessary services on a firewall is
> > asking for trouble.  This is half the reason there's no snort (or
other
> > IDS) on m0n0wall - the other reason is that this is an inappropriate
> > place for such a tool - inside the firewall is where these belong.
> > Adding these esoteric functions you asked about to m0n0wall will do
> > close to nothing for your security, will add to the code-base on the
> > firewall (therefore add to its susceptability to vulnerability), and
add
> > to the load the firewall places on its hardware.  None of these are
> > advantages.
> >
> > --
> >
> > Regards,
> >
> > Hilton Travis                   Phone: +61-(0)7-3343-3889
> > Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
> >          Quark Computers         http://www.QuarkAV.com/
> > (Brisbane, Australia)            http://www.QuarkAV.net/
> >
> > Open Source Projects: http://www.ares-desktop.org/
> > http://www.mamboband.org/
> >
> > Non Linear Video Editing Solutions & Digital Audio Workstations
> >  Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
> >   Conference and Seminar AudioVisual Production and Recording
> >
> > War doesn't determine who is right. War determines who is left.
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>