Hi,
I was wondering upon how some of you think upon some issues upon block
policies in firewalls. Basically you can choose a firewall to send resets
back as answer upon probes etc to not allowed ports, or you can choose a
firewall to drop the packets.
In general i think just dropping is the better one.
Consider the lastest worms like blaster and sasser. How many hits would
some firewalls encounter on blocked ports from such worms on bussy
networks? If a firewall has to send resets upon each hit, the firewall is
very bussy sending out resets. On very bussy firewalls it may even lead to
a serious degree of resource starvation? Simply dropping these probes
wouldnt cause these problems because no answer is generated.
Of course, another possibility is to limit the amount of resets you're
sending back. Like: if i have to send more then n resets back i wont,
meaning not on all packets resets are send back. But i dont think
firewalls support such a feature yet?
Moreover worms like blaster and sasser spread way to fast for manual
intervention. An IDS would have to intervene i guess.
How difficult would it be for an IDS to notice that in such a short notice
so much traffic from and to certain ports (eg 445) is being generated and
block the stuff because such an amount has to be an anomaly?
I guess it's the only way to remedy such problems. Of course traffic
shaping helps as well.
Bye,
Mipam.