Just thought I would add to this, that a lot of times these counter measures are nice - but think very carefully how you use them, as they could be used against you ..
Two examples - 1. Reconfiguring the FW - ISS (and others) use the SAM protocol to send an encrypted message to OPSEC firewalls to block an attack - this could however be used against you. Say our hacker knows he has got past your firewall, he launches an attack and suddenly he looses his connection .. it doesn't take a genius to work out an IDS is in play... so he goes to there web site and find one of their strategic partners (lets say its a bank and he uses their credit reference agency) - he then launches an attack and spoofs the IP to be the credit agency - the IDS picks it up re-configs f/w and BANG you've lost your connection to a major business partner 2. Using RST packets - be careful with things like SYN floods as sending a TCP RST packet back can actually create it's own DOS/flood back to the initiating host. With SYN floods you really want the packets DROPPED not reset The last thing to say is the whole false positive issue - and in my experience most customers don't use the kills as they are to afraid of legitimate traffic will get stopped Si ________________________________________________ Simon Edwards Technical Evangelist Top Layer Networks US Office : + 1 508 870 1300 (x230) US Mobile : + 1 617 953 8764 UK Office : + 44 1252 748509 UK Mobile : + 44 7971 959170 www: www.TopLayer.com <http://www.TopLayer.com> email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> "Perfecting the Art of Network Security" ---------------------------------------------------------------------------- -------- -----Original Message----- From: Toni Heinonen [mailto:[EMAIL PROTECTED]] Sent: 06 March 2002 16:04 To: Carr, Aaron [CNTUS]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. > retaliate, I think an equal or greater reaction to the probe > or attack in > question. You may simply be saying take effective > counter-measures, such as > performing a shun on a host or network, which is already available in > multiple products. One such product is the Cisco secure IDS > in conjunction > with other Cisco network products. For more information on that, see > http://www.cisco.com/warp/public/44/solutions/network/security.shtml. > > Hope that helps. Indeed. I think almost all NIDSs by now know how to react to attacks at least at some level. For instance, Snort (http://www.snort.org/) knows how to spoof RST-flagged packets to both parties, effectively terminating the connection there. Of course, you could also make an IDS software that watches the NIDS-software's logs and upon intrusion does whatever you want. A shell script, say. Also, Check Point's OPSEC-standard is meant for all sorts of communications from hosts to firewalls. Now the Network Flight Recorder (NFR, nfr.net) software knows how to speak OPSEC to a Firewall-1 and effectively shut the intruder from your network. As does ISS's product, if I recall correctly. TONI HEINONEN TELEWARE OY Telephone +358 (9) 3434 9123 * Fax +358 (9) 3431 321 Wireless +358 40 836 1815 Kauppakartanonkatu 7, 00930 Helsinki [EMAIL PROTECTED] * www.teleware.fi
