Re: [fw-wiz] a cutting-edge open-source network security project



On Wed, May 05, 2010 at 11:39:40PM -0500, Frank Knobbe wrote:
On Sun, 2010-05-02 at 15:48 -0700, travis+ml-firewalls@xxxxxxxxxxxxxxxxx
wrote:
[...] Another idea is to "federate" against attacks, so that when your IDS
(say, snort) detects an attack from an external entity, you block that
entity at multiple locations (each of which run DFD, but which may run
entirely different OSes and firewalls). This hasn't been implemented
but could prove itself rapidly useful (if engineered carefully).

When you say "this hasn't been implemented", are you referring to DFD?

Well, yes, I mean I haven't implemented a distributed blocking fabric
with DFD.

I'm just asking because this approach has been around for a while.
Snortsam is now nearly a decade old and uses the approach of you call
"federated" defense, which I call "distributed blocking fabric".
(Snortsam receives block requests from one or more Snort instances and
blocks on one of more firewalls, or forwards the request to other
Snortsam instances). And I can attest that this approach works extremely
well (detect once, protect many).

I see. I had heard the name snortsam and looking at it, it seems to have
similar goals.

One might characterize these in two ways:
snortsam can block IPs on multiple firewalls
DFD can implement any rule changes on any firewall

Snortsam as it stands just works :) and 2) we're enumerating so many
hostile IP's (even if only blocked for periods of time) that traditional
firewalls can no longer handle the load.

Yeah, I discuss some other options in the DFD paper:

http://www.subspacefield.org/security/dfd/#tth_sEc7

You'll note I've also linked to snortsam as related work.

Which led me to the development
of a new firewall module that, coupled with a database driven management
framework, can now handle transient shunning of millions of IP
addresses. I almost completed my migration from Snortsam to the new
framework.

Interesting. What firewall is it for? iptables?

Pf has something called tables that are supposed to be relatively
dense IP sets. Not sure if it would scale to your site's size though;
just a possibility.

Anyway, it looks like your DFD has a couple interesting features (for
example, the dynamic NAT stuff).

One thing I'd like to do is design a secure protocol for telling the
NAT device to do port forwarding, so that when an app fires up it
can securely send a structured file that does port forwarding. I ran
into this when trying to play Civ IV online behind a strict firewall;
I had to google for port numbers and so on, and never finished testing
to make sure I had it right. Very user-unfriendly.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@xxxxxxxxxxxxxxxxx to get blacklisted.

Attachment: pgpOrs6KpVOMx.pgp
Description: PGP signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards