Choices for security

[Barney Wolff]

On Fri, Jun 06, 2003 at 10:34:19AM +0200, Kristian Rask wrote:
> 
> snort is listening for 80,443 setups on DMZ and logging to a MySQL server

Since the database is deliberately ephemeral, I would keep it in an
in-core hash table.

> Another thing that has me wondering is something that would look kinda like route aggregation...
> like... if i have more than X registrations of certified bad boys pr.  Y bits of network.. i would like
> to detect this and recreate a network rule instead of a handfull of host rules.. eg.:
> If i detect say 16+ rules belonging to the same /24 then i would like to detect this and replace the 16+ rules with 1 rule for the entire /26. The basic idea is to reduce the number of rules in the firewall for performance reasons.
> Reviewing the last 3 days log files of ipfw rules shows a lot of cases where 10 - 20 machines came from a very narrow range of IP's.
> I'm not asking anyone to invent the above... but if somebody has pointers to algorithms that will work well in the above scenario, i would be gratefull to know about them.

If performance is good without this added complexity, there is no reason
to add it.  If not, I would look at doing a binary search with skipto
rules, rather than trying to discern aggregates.  Or just block a /26 or
/27 automatically when you detect abuse from any host in it.  How often
do you get abuse and legitimate requests from adjacent hosts?

Finally, if the problem is strictly http(s) requests, you can put an
allow tcp established rule before the blocking rules, and take the
hit only on setup packets.  That doesn't stop an attacker using hping
or equivalent, but does stop request bots.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.