Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Rookie's Guide to Defensive Blocks: Page 6 of 7

Some IDSs can force rules into the firewall to ban an IP address or entire network, cutting the attacker off. You can do this manually by inserting a deny x.x.x.x rule whenever you discover an anomaly. Having an IDS do that for you makes the shunning take effect as soon as an attack is discovered. Shunning capabilities are vendor-dependent. For example, Check Point Software Technologies firewalls can integrate with IDSs that adhere to the OPSEC (Open Platform for Secure Enterprise Connectivity) standard. Check Point created OPSEC to expand its firewalls' capabilities and allow other products to permit or deny traffic. For a guide to IDSs, see "Dragon Claws its Way to the Top."

Devices such as ForeScout Technologies' ActiveScout and TippingPoint Technologies' UnityOne will block traffic to and from internal hosts based on attack signatures. These are not firewalls but active shunning devices that work with your firewall and IDS.

Shunning can have a downside, however; it can lead to a DoS (denial of service) attack. For example, say your IDS shuns when it receives a certain UDP packet. An attacker could conceivably create several thousand spoofed UDP packets sent from every IP address AOL owns. If you're not watching, one person can block your organization from all AOL users--a significant number of Internet users. You need to define carefully what events trigger a shun and for how long. Port and page scans are often innocuous; actively trying to run an exploit like an IIS overflow is not. Dial-up ISPs rotate IP addresses often, and an IP previously used by an attacker may no longer be suspect. Also, attackers coming from behind NAT (Network Address Translation) or NAPT (Network Address Port Translation) boxes can cause entire organizations to be shut out.

• "Appshield Inspects and Protects Your Web Apps From HTTP to Z" (Network Computing, April 15, 2002)

• "Seeing to the Health of the Body Corporate" (Network Computing, April 1, 2002)