Hi Pat Blocking using an IDS definitely has its flaws, a hacker could exploit this as Michael Rash stated, spoofing the address of your customers/partners in the hope that they will be cut off by your IDS. I have had another look at SessionWall 3 and whilst its not the best IDS on the market it does have some interesting features that may be of use to you. Firstly it can block traffic on the fly, ie traffic fitting an attack signature will have their packets reset (I suggest only for those packets where there is no risk of false positives). I cant describe this further as I've signed an NDA. Secondly it can reconfigure the Cisco router or Firewall-1 to shun the hostile site. Whilst this is not ordinarily recommended for the reasons above, SessionWall can have a rule that will only take this action between say 1800 - 0800 notifying you by pager that it has done so. This should allow you to get some of that quality time with your family and wait till the following morning before investigating. You can define friendly sites that will be excluded from this rule, overcoming some of the problems with spoofing. Oh its also a net nanny and an E-mail content scanner (though it has no parser for x.400). Any other solutions out there ??
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:23 PDT