RSS |
 |
| F E A T U R E | |
|
|
|
Shunning: Good or Bad? December 4, 2000 |
||
|
|
When asking people whether they would like their intrusion-detection systems to set rules in their firewall automatically, we hear a resounding "No!" each time. The reason is clear: Both as the rule-setters and as the network users, many administrators want complete control over the firewall. The fear of an IDS blocking access to critical resources is very real, though possibly overblown. The threat of this shunning causing more harm than good stems from false positives or negatives. Just like a virus scanner, an IDS can be prone to false alarms, because some of the signatures on which it relies may be from legitimate traffic. While these are sound fears, that doesn't mean you need to throw out the baby with the bathwater. Of course, shunning isn't the solution to overworked administrators who overlook events, either. If an event is important enough for an automated action, it is important enough for further investigation. Knowledge is the best weapon. Knowing what attacks look like will help you determine the chances of a false positive. Certain attacks, like remote buffer overflow attacks, are distinct enough that false alarms are almost nil. It is likely you can safely shun the originating IP addresses with little problem. Intelligent, limited use of shunning can give you the breathing room you need when an attack is under way. Port and ping scans, DoS (denial of service) and distributed DoS are not good candidates for shunning because the source IP addresses can be spoofed--in other words, you don't know where the attacks are originating. Attacks that run over TCP are generally not prone to IP spoofing, so at least you know where the source is. In addition, shunning often can be a timed event. By setting an expiration time for the firewall rule, you can slow down an attacker without having to run through your firewall removing stale rule entries.
Granted, most shunning we have seen is rudimentary. A single attack occurring in a vacuum can trigger an alert. What is sorely needed is intelligent event processing that can look at complex events and take action. For example, port scans aren't very interesting events. But port scans coupled with attack attempts are. Unfortunately, this level of processing isn't prevalent today.
|
|
|
|
PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I 8 I 9 I NEXT PAGE |
||
