Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Security
W O R K S H O P  
A Rookie's Guide to Defensive Blocks

  June 24, 2002
  By Mike DeMaria


>> continued from previous page

Shunning the Firewall Leapers

TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
flameauthor Flame the author
 
  In this article
arrow
 Introduction
arrow
 Criminal Intent
arrow
 Shunning the Firewall Leapers
arrow
 Web Links

Firewalls are a start, but what happens if your antivirus, content-filtering or intrusion-detection systems discover an anomaly or attack attempt? You'll want to ban the attacker from accessing any part of your network. This is where you can take advantage of products that let you shun attackers.

Some IDSs can force rules into the firewall to ban an IP address or entire network, cutting the attacker off. You can do this manually by inserting a deny x.x.x.x rule whenever you discover an anomaly. Having an IDS do that for you makes the shunning take effect as soon as an attack is discovered. Shunning capabilities are vendor-dependent. For example, Check Point Software Technologies firewalls can integrate with IDSs that adhere to the OPSEC (Open Platform for Secure Enterprise Connectivity) standard. Check Point created OPSEC to expand its firewalls' capabilities and allow other products to permit or deny traffic. For a guide to IDSs, see "Dragon Claws its Way to the Top."

Devices such as ForeScout Technologies' ActiveScout and TippingPoint Technologies' UnityOne will block traffic to and from internal hosts based on attack signatures. These are not firewalls but active shunning devices that work with your firewall and IDS.

Shunning can have a downside, however; it can lead to a DoS (denial of service) attack. For example, say your IDS shuns when it receives a certain UDP packet. An attacker could conceivably create several thousand spoofed UDP packets sent from every IP address AOL owns. If you're not watching, one person can block your organization from all AOL users--a significant number of Internet users. You need to define carefully what events trigger a shun and for how long. Port and page scans are often innocuous; actively trying to run an exploit like an IIS overflow is not. Dial-up ISPs rotate IP addresses often, and an IP previously used by an attacker may no longer be suspect. Also, attackers coming from behind NAT (Network Address Translation) or NAPT (Network Address Port Translation) boxes can cause entire organizations to be shut out.


start top  Criminal Intent Web Links 

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers