RE: reacting after detecting

From: Joe Keegan (joe@jjk3.com)
Date: 05/17/02 

From: "Joe Keegan" <joe@jjk3.com>
To: "'Victor Lima'" <s3tuid@violating.us>, <focus-ids@securityfocus.com>
Date: Fri, 17 May 2002 11:29:05 -0700

I think when most people talk about reaction, they are referring to a
human incidence response, hopefully by a trained team or at least
someone following an a previously written incident response procedure.
Response/Reaction happens after a security incident has occurred.

So for your example of having an IDS add a deny rule to a firewall after
detecting possible malicious packets.

The firewall is obviously PREVENTION, it stops things you don't want
from getting in, but for networks to work, it needs holes. It's possible
that bad stuff can come through these holes.

That leads to the DETECTION of that bad stuff. The IDS detects the bad
stuff and then does a couple of things, it creates a log entry and then
adds the rule to the firewall. I don't see the addition of the rule to
the firewall as REACTION as much as I see it as part of PREVENTION.

Now that you have this log entry and the extra rule in your firewall,
this is where REACTION happens. You have had a security incident and
should do something. Maybe you contact the ISP of the system which
conducted the attack; do you leave the rule in the FW, if so for how
long; you should also try and verify it actually was what the IDS said
it was.

Joe

*******************************************************************
Joe Keegan joe@jjk3.com
Security Engineer
www.jjk3.com
SANS GCFW, CCSE, SCSA Phone:
408-242-4588
*******************************************************************

-----Original Message-----
From: root@19650.rjo.virtua.com.br [mailto:root@19650.rjo.virtua.com.br]
On Behalf Of Victor Lima
Sent: Thursday, May 16, 2002 7:04 PM
To: focus-ids@securityfocus.com
Subject: reacting after detecting

Hello,

 This is my first post and my english isnt native, so forgive any
mistakes ;)))

 As Lance Spitznet said in one of his articles, breaking down security
in three is effective (prevention, detection, and reaction), I've seen
much effort being done to prevent an attack (firewall rules, patchs,
up-to-date packages), and even more effort being done to create a more
effective detection system, however i've only seen a couple of tools
that react after detecting an attack, and Im not very fond of the idea
of adding a packet denying rule to my firewall in order to keep the
ill-intended traffic away, so my question is: What are the avaible
reacting systems, concepts, ideas, tools today?

"Computers are useless... They can only give you answers."
-- Pablo Picasso

Relevant Pages

  • Re: what should I do when....
    ... My initial reaction to this is that you should block all IP addresses belonging to that company *if* you do not need to communicate with them via the internet. ... My secondary reaction is to tell you not to advertise what sort of technology you are using in public forum. ... firewall logs, from a specific ip based in Canada, the log is showing a ... Although the good thing is that the firewall is detecting them therefore stopping them, I'm getting worried of hacker activity, I've already done ip lookup, and dns whois query both of those point to ip and host in Canada it seems to be a company as I got their public website and also private network.....could anyone advice me what's the proper course of actions in this case?.... ...
    (Security-Basics)
  • Re: Leopard (in)Security?
    ... least somewhat true since it's not severely subjective bullshit like ... than *Vista*'s firewall. ... What's the reaction from you die-hard Mac fans? ... See my post in the "Microsoft playing catch-up to Apple" ...
    (comp.sys.mac.advocacy)
Quantcast