Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
To: "Paul D. Robertson" <email@example.com> Date: Thu, 19 May 2005 18:58:57 -0400
On May 19, 2005, at 6:40 PM, Paul D. Robertson wrote:
>> A firewall with allow-all is simply a router.
> You'd be surprised at the number of "Yes we have a firewall!"'s I've
> with an allow all...
Look on the bright side, they have a lot of unused capability where
they could improve their security, if only someone showed them how to
Sounds like a happy consulting opportunity. :-)
>> I suspect that using greylisting, honeytraps, teergrubes, and similiar
>> techniques can do a lot to help slow down the spread rates of malware
>> and spam. That's one way of making an "allow all" rule less risky
>> the "deny all" rule might be. Of course, you have to make sure your
>> honeytrap software is up to the task, which is not as easy as it might
> I still don't see that as less risky.
Is it easier to defend against a known attack then against an unknown
>> Has anyone else tried setting up several honeytraps across their
>> address space? Have you noticed a difference in connection rates
>> between IP addresses at the far ends of your IP range, compared with
>> honeytrap IP's in the middle?
> I haven't, but I know a lot of worms generate addresses to try to
> with non-random algorithms. Most people I know who do that sort of
> tend to grab the first bit of traffic, talking enough of whatever
> it is to characterize it and tally it up. I'd bet the breakdown by
> protocol and malcode instance would be interesting, but it's a heck of
> lot of work to keep it updated.
Computers are good at logging and keeping track of the statistics. The
problem is understanding what all of the noise means and presenting it
to the user in a fashion which helps them make decisions.
-- -Chuck _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards