Re: Dynamic Firewall/IDS System

From: Karsten W. Rohrbach (
Date: 09/16/01

Date: Sun, 16 Sep 2001 19:52:04 +0200
From: "Karsten W. Rohrbach" <>
To: Krzysztof Zaraska <>

Krzysztof Zaraska( 16:17:46 +0000:
> On Sat, 15 Sep 2001, D J Hawkey Jr wrote:
> > > tell me if you are interested in developing such a thing from scratch,
> > > together...
> >
> > I don't think this is necessary. It seems, to me anyway, redundant to
> > existing technologies. Does any OS need three firewalls in its base?
> Well, I don't think this project should aim towards building another
> packet filter, however a system gathering alerts from various sources
> (firewall, IDS, etc.) and reacting appropriately could be a good thing.
> Also, if it was modular in design and implementation then it could posibly
> run with many packet filters or IDS systems just by selecting appropriate
> "plugins". Is this what "different input/output handlers" means?

verbose concept:

- input handlers
    read event data from firewall logs, ids, whetever and transform it
    to a unified format (idmef?)
- event handler engine
    uses a to be discussed policy system to decide what to do in reation
    to the incoming events
- output handlers
    take the generated countermeasure events, transform it to the
    appropriate format and remotely add rules to firewall systems and
    the like
- logging system
    generates categorized logs from the all of the above, sends out
    realtime alerts via pager/mail/sms/...

prerequisites (and proposed subsystems for first implementation):
- lightweight ids system for input events
    -> snort
- firewall system for log based input events
    -> ipfilter/bsd
- firewall system for dynamic rule addition
    -> ipfilter/bsd
    -> cisco ios ip acls
    -> feed blackhole routes to juniper boxes
- reliable, authenticated, secure network transport
    -> kame ipsec/bsd, preshared secrets
    (tell me if you got a better idea)
- categorized log output subsystem
    -> plain file, easy thing
    -> mysql/postgresql, perhaps integration with acid or the like it looks like we have to implement an event handling engine,
input, logging and out filters on a modular basis and -- that's the hard
work here -- a good and flexible policy/rule system. remote rule
distribution for snort systems is already implemented as a working
prototype at my site.

> > Besides, aren't you [basically] describing snort?
> I don't think this is a description of snort. Snort documentation
> explicitely states that it's a tool for intrusion detection only and snort
> itself does not have any options allowing to react to an alert, except the
> posibility of sending RST to tear down hostile TCP connections.

exactly! i am not satisfied with the flexresp features in snort. they
fit for a single host solution but not for clusters or larger scale
networks. let me describe one installation that would be easier to
manage with such a system:

imagine you got a colo with web servers, let's say 200 different boxes
behind several routers and firewalls. we do not have control over the os
of the boxes, since they are customer machines.

one guy on his home adsl line wrote a program that infiltrates windows
based machines. we don't have access to the boxes but we can see -- as
the network guys from the colo -- that they get or got attacked.

we deploy sensor rules for the ids boxes.
we deploy packet filter log rules that indicate the attack.
the event engine gets a feed from the inputs.
we deploy a policy for this certain attack type, including the
definition of what needs to be done to block the attack.
the output filters add the appropriate rules to a myriad of network
devices in our infrastructure to
- block a single ip address from where the attack came
- block certain things (in case of a worm) which appear to be outgoing
  from affected/infected servers
- alert the colo people via a monitoring console
- alert the owner of the server
- generate an abuse report
- ...

you see, that i am thinking about a -- albeit complex -- network
intrusion _management_ system which is able to
- detect intrusion/breakage of boxes
- react in real time, thus minimizing the impact on infrastructure
- generate comprehensive reports on what happened

implementing such a system is a perfect candidate for an open source
project, because it probably will not originate from one larger company
who could afford project funding; neither a smaller company could
implement such a thing due to manpower constraints and cash.

> I think the tool described by Karsten is rather something that could use
> snort as one of possible alert sensors, right?
> Besides, I like the idea of updating rulesets between firewalls real-time.
> It's been discussed on this list before in slightly different context, but
> did not lead to implementing anything. Sounds cool even as a purely
> research project.

until a working proof of concept prototype is up and running wit will be
a research project. the point is that neither university people are at
this as far as i can see from the current ongoing projects of the major
unis. also network consulting companies and network security folks do
not have this comprehensive, interdisciplinary approach -- they rather
implement limited by design solutions too keep their customers half-way
happy and that's pretty it.

> > > ...and include a short description of your skills, programming
> > > languages and os platform you're on, if you like.
> >
> > P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX,
> > Linux, and a little Solaris. X11R5/6.
> Administration part-time, FreeBSD, Linux, C/C++, bash, a little Perl and
> Java.

ah yes,
- full time system admin and network architect for the last 6 years for
  nacamar (as3257), world online and tiscali germany.
- 10+ years bsd knowledge, preferred flavour is freebsd, other flavours
  include aix, net and openbsd. i hate suns. i dislike win32, but worked
  for customer projects with it.
- perl, shell (sedawkm4), php spoken fluently
- c/c++, python, java are somewhat known, i am more and more into python
  (speak: learning the arcane magic of it ;-)
- application specific knowledge in apache et al.

> > --
> >
> > It took the computing power of three C-64s to fly to the Moon.
> > It takes an 800Mhz P3 to run Windows XP. Something is wrong here.

...only if you insist on dancing paperclips killing your time ;-)
business mail is very easily handled by latex and the like *grin*


> question = ( to ) ? be : ! be; // Wm. Shakespeare
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie -- --
karsten& -- alpha& -- alpha& --
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message