Can an IPS system do this? - Firewalls

This is a discussion on Can an IPS system do this? - Firewalls ; Hi everybody, As we all know, if you have a normal firewall that allows certain traffic through to a public server then the firewall doesn't provide any protection for the server on those ports. For example, it doesn't realise that ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Can an IPS system do this?

  1. Can an IPS system do this?

    Hi everybody,

    As we all know, if you have a normal firewall that allows certain
    traffic through to a public server then the firewall doesn't provide
    any protection for the server on those ports. For example, it doesn't
    realise that the same external IP address has been hammering away at
    the server for the past 3 hours trying to guess a valid username and
    password combination.

    Does anyone know of a product that can add extra functionaility to a
    firewall, or even replace the firewall, so that attacks like this can
    be automatically caught and the traffic blocked? A cisco engineer I
    know said that an IPS system is unlikely to be able to pick up this
    behaviour as suspicious, is he right?

    We have a basic budget of 5000 Euros to replace or augment our
    firewall, specifically to mitigate brute force attacks like this.
    Current firewall is a Cisco PIX 515E. I was thinking of maybe a Cisco
    ASA5510 with some add-on module or other, but if it won't help,...

    Any help is most appreciated.


  2. Re: Can an IPS system do this?

    Moose wrote:

    > For example, it doesn't
    > realise that the same external IP address has been hammering away at
    > the server for the past 3 hours trying to guess a valid username and
    > password combination.



    Who cares?

    > Does anyone know of a product that can add extra functionaility to a
    > firewall, or even replace the firewall, so that attacks like this can
    > be automatically caught and the traffic blocked?



    But you realize that this is a very very very stupid idea?

  3. Re: Can an IPS system do this?

    Moose wrote:

    > Does anyone know of a product that can add extra functionaility to a
    > firewall, or even replace the firewall, so that attacks like this can
    > be automatically caught and the traffic blocked? A cisco engineer I
    > know said that an IPS system is unlikely to be able to pick up this
    > behaviour as suspicious, is he right?


    This sort of thing?

    ftp://shorewall.net/pub/shorewall/co...entryHOWTO.txt

    Jim Ford

  4. Re: Can an IPS system do this?

    Moose wrote:

    > Does anyone know of a product that can add extra functionaility to a
    > firewall, or even replace the firewall, so that attacks like this can
    > be automatically caught and the traffic blocked?


    Trust me, you DON'T want any firewall to automatically create new
    blocking rules.

    What do you do if somebody sends spoofed packets at your firewall
    causing it to automatically block traffic to/from some important server?


    Juergen Nieveler
    --
    A good pun is it's own reword.

  5. Re: Can an IPS system do this?

    Jim Ford wrote:
    > Moose wrote:
    >> Does anyone know of a product that can add extra functionaility to a
    >> firewall, or even replace the firewall, so that attacks like this can
    >> be automatically caught and the traffic blocked? A cisco engineer I
    >> know said that an IPS system is unlikely to be able to pick up this
    >> behaviour as suspicious, is he right?

    >
    > This sort of thing?
    >
    > ftp://shorewall.net/pub/shorewall/co...entryHOWTO.txt


    *sigh*

    When will people learn that automatic network shunning is a REALLY BAD
    IDEA? Rate-limiting is a much better way to deal with this kind of
    problem. If you can't avoid using passwords in the first place.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  6. Re: Can an IPS system do this?

    Juergen Nieveler wrote:
    > Trust me, you DON'T want any firewall to automatically create new
    > blocking rules.
    >
    > What do you do if somebody sends spoofed packets at your firewall
    > causing it to automatically block traffic to/from some important
    > server?


    Instantly lose connectivity?

    cu
    59-That was easy!-cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. Re: Can an IPS system do this?

    On Apr 26, 9:08 pm, Ansgar -59cobalt- Wiechers
    wrote:
    > Juergen Nieveler wrote:
    > > Trust me, you DON'T want any firewall to automatically create new
    > > blocking rules.

    >
    > > What do you do if somebody sends spoofed packets at your firewall
    > > causing it to automatically block traffic to/from some important
    > > server?

    >
    > Instantly lose connectivity?
    >
    > cu
    > 59-That was easy!-cobalt
    > --
    > "If a software developer ever believes a rootkit is a necessary part of
    > their architecture they should go back and re-architect their solution."
    > --Mark Russinovich


    Yep, got the message loud and clear... I'll spend the effort instead
    ensuring the servers and apps are fully patched and tied down as much
    as possible.

    Thanks to all.



  8. Re: Can an IPS system do this?

    Moose wrote:

    > On Apr 26, 9:08 pm, Ansgar -59cobalt- Wiechers
    > wrote:
    >> Juergen Nieveler wrote:
    >>> Trust me, you DON'T want any firewall to automatically create new
    >>> blocking rules.
    >>> What do you do if somebody sends spoofed packets at your firewall
    >>> causing it to automatically block traffic to/from some important
    >>> server?

    >> Instantly lose connectivity?
    >>
    >> cu
    >> 59-That was easy!-cobalt
    >> --
    >> "If a software developer ever believes a rootkit is a necessary part of
    >> their architecture they should go back and re-architect their solution."
    >> --Mark Russinovich

    >
    > Yep, got the message loud and clear... I'll spend the effort instead
    > ensuring the servers and apps are fully patched and tied down as much
    > as possible.



    Hm... what about an IDS? After all, just because some companies think it's
    funny to add a shoot-yourself-in-the-foot extension doesn't mean that the
    idea of detecting suspicious behaviour would be a bad idea.

  9. Re: Can an IPS system do this?

    "Sebastian G." wrote:

    > Hm... what about an IDS? After all, just because some companies think
    > it's funny to add a shoot-yourself-in-the-foot extension doesn't mean
    > that the idea of detecting suspicious behaviour would be a bad idea.


    Yep. An IDS sensor on a mirrored port (or hub port - most companies
    don`t have THAT fast Internet connections anyway) will at least tell
    you HOW somebody attacked your machine, which is a great help.

    Juergen Nieveler
    --
    Hi, my name is Annie Key. Please don't hit me

  10. Re: Can an IPS system do this?

    On Apr 26, 11:38 am, Moose
    wrote:
    > Hi everybody,
    >
    > As we all know, if you have a normal firewall that allows certain
    > traffic through to a public server then the firewall doesn't provide
    > any protection for the server on those ports. For example, it doesn't
    > realise that the same external IP address has been hammering away at
    > the server for the past 3 hours trying to guess a valid username and
    > password combination.
    >
    > Does anyone know of a product that can add extra functionaility to a
    > firewall, or even replace the firewall, so that attacks like this can
    > be automatically caught and the traffic blocked? A cisco engineer I
    > know said that an IPS system is unlikely to be able to pick up this
    > behaviour as suspicious, is he right?
    >
    > We have a basic budget of 5000 Euros to replace or augment our
    > firewall, specifically to mitigate brute force attacks like this.
    > Current firewall is a Cisco PIX 515E. I was thinking of maybe a Cisco
    > ASA5510 with some add-on module or other, but if it won't help,...
    >
    > Any help is most appreciated.


    You could keep your PIX, build an IPS/IDS from some FOSS and be almost
    as secure as some banks... only difference, banks have managed IPS/
    IDS, yours wouldn't be as much....

    RedForeman


+ Reply to Thread