manatworkyes moderator wrote: > > This is a very good question. I'd like to extend that question to other > security solutions. IDS for examples: How many IDS systems can deal with the > slapper worm ? How many AV blocks bugbear (Before it was publicly available > ?) > Do you (or anyone else) knwo if there is any *network based generic* > security device that deals with the latest Solaris bug ? The engines that use anomaly detection can theoretically pick up some of this. For instance, by dropping traffic whose high level protocol fields are oversized, use illegal values, or are otherwise malformed. That, of course, assumes that there are standards for the fields in question and application writers adhere to them so we don't get a million false positives. :) AV software's corresponding method would be heuristics but I get the impression it hasn't been very effective. I suspect this is due to the nature of a general purpose computer in a consumer's hands...too many applications look like viruses and trojans :) > IMO, the SmartDefense stuff, is more then signature blocking. It looks for > the roots of the problem. So, if SSLv2 is vulenrable, use only SSLv3. I'd thought SmartDefense was smarter than that. The approach you described, to me, would be analogous to "if IIS 4 is vulnerable, allow access only to IIS 5 servers". Might not be a bad security policy but I was expecting a little more sophistication. Along that vein however, I think I've seen products combining vulnerability detection, firewall, and IDS functionality that could theoretically make possible a policy saying "don't pass traffic to unpatched IIS servers". -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 07:29:21 PDT