Re: How to login user automatically? (for IP Filter firewall)
From: WinGuy (no_spam_at_nomail.bot)
Date: 09/10/04
- Next message: Greg Hennessy: "Re: Layer 2 content filtering?"
- Previous message: S.Heenan: "Re: Linux, BSD, and Unix are fundamentally insecure."
- In reply to:(deleted message) Martin: "Re: How to login user automatically? (for IP Filter firewall)"
- Next in thread: WinGuy: "Re: How to login user automatically? (for IP Filter firewall)"
- Reply: WinGuy: "Re: How to login user automatically? (for IP Filter firewall)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 10 Sep 2004 15:48:48 GMT
"Martin" <nospam@example.org> wrote in message
news:10k2her8arb620e@news.supernews.com...
> WinGuy wrote:
>
> > I suppose I'll have to hack on IPFilter to get the real-time analysis of
> > the 128-bytes of data available per packet that I want, as I really
don't
> > see a practical way of doing it with logs even if I could somehow use a
> > ramdrive with FBSD and tell IPFilter to use it. That would be a kludge.
> > Maybe someone out there has already done such a hack... (well, I can
> > hope!)
>
> So you want to respond to an attack by closing off ports when an attacker
> port-scans you or something? I've never seen the point of that. Firstly
> it makes it possible for people to DoS you with spoofed source IP
> addresses; and it makes it hard for you to test the configuration of your
> own firewall using pentest tools (nmap etc). Most attacks in reality come
> from worms which don't portsan you, they just target the relevant ports
for
> the latest MS-IIS, MS SQL Server or MS RPC vulnerability, so firewalls
that
> go closed after portscans won't stop them. Really you're better off just
> running minimal services; picking service implementations that have a good
> security history; and running those services in a locked-down environment
> (chroot jail as non-root user).
Yep, I agree. But this particular box only lives to be a firewall for my
entire LAN, nothing else. I don't want to slam ports shut in response to an
attack, I want to temporarily but near immediately block IP addresses in
response to packet data patterns that are associated with an attack on ports
that must remain open. Outside of this box, my entire LAN is composed of
Microsoft machines, including IIS. I absolutely need its ASP functionality
that has not existed in Apache. My Windows 2K server not only runs IIS but
also runs a Mercury email server. That box is constantly attacked (mostly by
worms, but occasionally by hackers), and has withstood this near daily
assault without a true security breach incident for nearly 2 years now. But
sometimes it gets darn busy defending itself (DoS).
My server box sits behind a router, then behind a resident ZoneAlarm Pro
firewall, and then behind another resident firewall (BlackIce). Each
firewall offers featurs, functions, or some advantage that the other lacks;
so it's a layered security approach. It's kept fully updated with all
Microsoft provided updates and so on, and I've spent uncountable time
tweaking file permissions (a good thing, because occasionally someone makes
it past all the firewalls only to run up against NTFS permission denials).
The server is very, very secure. BUT, a large part of the security is its
own built in resident firewalls. I won't get rid of them, but I do want to
install similar protection (FBSD+IPFilter, modified) not only to decrease
the actual attack handling load that the server must devote cpu cycles for,
but also to apply better security to the entire LAN (and to do that right at
the broadband modem) and to do so at a central administrative point. This is
why I'm building a FBSD firewall and learning its unix-style environment
(which is currently very alien to me, but that's on a fast track change
program). I want to be able to ward off a DoS right at the broadband modem,
too, instead of having IIS try to manage that sort of thing. Thus my
interest in FBSD+IPFilter (modified) operating in stealth mode.
I need help getting the IPFilter box working, because I really am a newbie
at using the operating system at its most basic level. And I need help
(maybe) modifying IPFilter so that packet data can be analyzed and acted
upon instead of having only the 1st 128 bytes of a packets be logged to a
file. This seems the next logical step for IPFilter that would greatly
improve its utility. But most of all, I honestly need that overall utility
and that's what's driving me. :)
- Next message: Greg Hennessy: "Re: Layer 2 content filtering?"
- Previous message: S.Heenan: "Re: Linux, BSD, and Unix are fundamentally insecure."
- In reply to:(deleted message) Martin: "Re: How to login user automatically? (for IP Filter firewall)"
- Next in thread: WinGuy: "Re: How to login user automatically? (for IP Filter firewall)"
- Reply: WinGuy: "Re: How to login user automatically? (for IP Filter firewall)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
