Choices for security

Kristian Rask krask at isupport.dk
Fri Jun 6 01:42:04 PDT 2003 

Hi

In the ongoing saga a new question arises...

Presently the system is configured as follows

100 MBit WAN <--> FreeBSD Gateway <--> /28 DMZ-Net incl. 2 MS-IIS

ipfw is used to make basic protection for the Windows 2000 / IIS servers

ipfw is used kill setups from certain IP's to  DMZ/28 80,443

snort is listening for 80,443 setups on DMZ and logging to a MySQL server

A script at regular intervals asks MySql for identical src-ip's that returns more than LIMIT records. 
The script then produces ipfw rules and inserts them. After this the script removes
all previously registered records from the database (so that the DB doesnt keep growing)
The script does a "ipfw show" and looks at the relevant records for nr of attempt and traffic amount. Based on this the script removes records from the rulesets when traffic drops to a certain level. 
ipfw zeroes the relevant blocking rules so that a new period of traffic measuring and blocking can start


All of the above is being done at the moment and most of it is automatic by now.
However it seems to me to be overkill .... 
Does anyone have an idea as to how one measures the IP traffic types in realtime ? 

Another thing that has me wondering is something that would look kinda like route aggregation...
like... if i have more than X registrations of certified bad boys pr.  Y bits of network.. i would like
to detect this and recreate a network rule instead of a handfull of host rules.. eg.:
If i detect say 16+ rules belonging to the same /24 then i would like to detect this and replace the 16+ rules with 1 rule for the entire /26. The basic idea is to reduce the number of rules in the firewall for performance reasons.
Reviewing the last 3 days log files of ipfw rules shows a lot of cases where 10 - 20 machines came from a very narrow range of IP's.
I'm not asking anyone to invent the above... but if somebody has pointers to algorithms that will work well in the above scenario, i would be gratefull to know about them.


any and all input on the problem much appreciated..

Regards & TIA

Kristian

More information about the freebsd-net mailing list