[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  <Hilton at QuarkAV dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature Request : Portscan block and Anti-DoS(butNO IDS)
 Date:  Sat, 21 Feb 2004 17:59:56 -0600 
> -----Original Message-----
> From: Hilton Travis [mailto:Hilton at QuarkAV dot com]
> Sent: Saturday, February 21, 2004 5:34 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Feature Request : Portscan block and Anti-
> DoS(butNO IDS)
> 
> On Sun, 2004-02-22 at 09:02, Timothy Jans wrote:
> > From: "Hilton Travis" <Hilton at QuarkAV dot com>
> > > Hi Tim,
> > >
> > > On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> > > > What I would like to see in M0n0wall is a Portscan blocker and
> > > > Anti-DoS which are adjustable in the Web interface
> > > > (because some services have none or bad anti-DoS protection).
> > >
> > > If you choose to run an insecure service behind your firewall,
then
> > > you are asking for trouble.  It is the job of any service to be
> > > secure - the firewall cannot "know" what is running behind it and
> > > implement specific security measures based on the application
> > > running on a particular server/port.  The firewall's job is to
stop
> > > all traffic that you don't specifically allow through, so if you
> > > allow traffic to an internal DMZ or LAN server, then it is your
job,
> > > and the job of the server itself, to ensure that it is secure.
> > >
> > > As for a portscan blocker, this is unnecessary.  Portscanning a
> > > network is not illegal.  Portscanning a network can cause no
damage
> > > if you have a secure network only allowing required traffic in,
and
> > > if you are running secured servers internally that are listening
> > > for this traffic.
> > >
> > > > I do not mean a IDS like Snort because they do not actually
belong
> > > > in a firewall.
> > > > (are too heavy (embedded systems), are too complicated (bugs)
and
> > > > I do not actually beleave in them...)
> > >
> > > I don't see how you cannot believe in a legitimate security tool
> > > such as an IDS yet want illegitimate "tools" such as anti-DOS and
> > > portscan-blocker features in a firewall.
> > >
> > > As you hinted at, running any unnecessary services on a firewall
is
> > > asking for trouble.  This is half the reason there's no snort (or
> > > other IDS) on m0n0wall - the other reason is that this is an
> > > inappropriate place for such a tool - inside the firewall is where
> > > these belong.  Adding these esoteric functions you asked about to
> > > m0n0wall will do close to nothing for your security, will add to
> > > the code-base on the firewall (therefore add to its susceptability
> > > to vulnerability), and add to the load the firewall places on its
> > > hardware.  None of these are advantages.
> 
> > Thanks for the answer.
> > But would it not be more wise to block a flood attack at the
firewall?
> > (limiting the number of connections per IP, etc...)
> > Or am I thinking wrong here?
> 
> There is no possible way to limit the number of connection attempts
per
> IP at the firewall.  For the firewall to be able to detect a
connection
> attempt, the connection attempt has to actually make it to the
> firerwall.  The traffic has already reached your network, and the
> bandwidth is already used.  Therefore, blocking DDoS attacks (or flood
> attacks) at a firewall on your network is entirely ineffective.  To be
> effective, they need to be blocked at (or preferably before) your ISP.
> 
> As I mentioned before, it is not the firewall's job to know what
> services you are running internally, it is the firewall's job to block
> all traffic that you have not specifically allowed through to your
> DMZ/LAN.  It is the job of the server to determine what sort of
traffic
> is appropriate to accept, not the firewall.  I can run any service I
> like on any port I choose.  Some require many connection attempts,
some
> require few.  Yet others require none.  For a firewall to keep track
of
> all this additional information and also they types of connection
> requests would place a load on the firewall beyond what most m0n0wall
> hardware could handle.  You'd need a P4 for your firewall, not a
> Pentium.  Also, the process would not truly be effective, as any
changes
> to the server - upgated, bug fixes, etc - may mean that you now need
to
> reconfigure the firewall for that particular port/service, increasing
> the complexity of your network, therefore increasing the likelihood
that
> something gets configured incorrectly and breaks.
> 
> --
> 
> Regards,
> 
> Hilton Travis                   Phone: +61-(0)7-3343-3889
> Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
>          Quark Computers         http://www.QuarkAV.com/
> (Brisbane, Australia)            http://www.QuarkAV.net/
> 
> Open Source Projects:		http://www.ares-desktop.org/
> 				http://www.mamboband.org/
> 
> Non Linear Video Editing Solutions & Digital Audio Workstations
>  Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>   Conference and Seminar AudioVisual Production and Recording
> 
> War doesn't determine who is right. War determines who is left.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 

While the malicious incoming packets have already used your connection
bandwidth, one could limit/prevent outgoing packets (say ACKs or other
packets pointing to the source IPs for instance) that'd further congest
the network. (Hence anti-DoS and not DoS prevention or protection.)

Brandon