--- "Marcus J. Ranum" <mjrat_private> wrote: > ...but nobody > expects that it'll somehow act like William Gibson-esque "ICE" > and automatically "heal" a broken network or backtrack and destroy > the bad guys. Hhhm. The other day a customer of ours installed BlackICE Defender on their home machine. Even before the installation process had completed, it detected that the machine was being controlled by a remote access Trojan, blocked further access by the perpetrator, and discovered that the perp's login name was the same as a former coworker. Of course, the above example really is flash: though it can work this way sometimes, it is rarely this effective. Most of the time BlackICE Defender sits quietly in the background logging the occasional scan. On the other hand, I'm a little disturbed by the lack of "out-of-box" thinking. This whole conversation started with everyone using their own policy manual as a guide as to the feasability of whether IDSs should reconfigure firewalls. However, everyone has a different policy guide: what might be appropriate for some is not appropriate for another. For example, let's say that you have an external website which only serves static pages and has no access to sensitive information. Also, lets say that it is mission critical. Now let's say that you've got conclusive evidence that the machine has been hacked. What do you do? Probably leave it running and try to solve the problems while the server is in production. Conversely, let's say that you suspect (but without much evidence) that one of your user's machines behind the firewall has been hacked. What do you do? Pull the plug and ask questions later. I mean, with a firewall you've already pre-DoSed your users: you deny them full access to the Internet. How many users can get IRC, ICQ, or even RealAudio through the firewall? How many of your users are complaining they can't traceroute through your firewall? You've already denied them that service. It is interesting to note that the people crying "No auto-configure" are probably already using auto-configuration in order to get applications like FTP and RealAudio to work through the static filters. Right now, BlackICE Defender does both types of auto-configuration: it allows applications like FTP and RealAudio to work despite the static firewall rules. It also shuts out traffic that is conclusively bad (BackOrifice responses transmitted from your machine are virtually impossible to spoof or trigger a false positives). At the same time, BlackICE Sentry (your traditional network IDS that runs like NFR or RealSecure) does NOT have the ability to reconfigure firewalls. Even though we think such policies are good for end-nodes, we agree that few customers should be doing that with their main firewall. Robert Graham CTO/Network ICE __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:50 PDT