Can an IPS system do this?

Hi everybody,

As we all know, if you have a normal firewall that allows certain
traffic through to a public server then the firewall doesn't provide
any protection for the server on those ports. For example, it doesn't
realise that the same external IP address has been hammering away at
the server for the past 3 hours trying to guess a valid username and
password combination.

Does anyone know of a product that can add extra functionaility to a
firewall, or even replace the firewall, so that attacks like this can
be automatically caught and the traffic blocked? A cisco engineer I
know said that an IPS system is unlikely to be able to pick up this
behaviour as suspicious, is he right?

We have a basic budget of 5000 Euros to replace or augment our
firewall, specifically to mitigate brute force attacks like this.
Current firewall is a Cisco PIX 515E. I was thinking of maybe a Cisco
ASA5510 with some add-on module or other, but if it won't help,...

Any help is most appreciated.

Re: Can an IPS system do this?

Moose wrote:

> For example, it doesn't
> realise that the same external IP address has been hammering away at
> the server for the past 3 hours trying to guess a valid username and
> password combination.


Who cares?

> Does anyone know of a product that can add extra functionaility to a
> firewall, or even replace the firewall, so that attacks like this can
> be automatically caught and the traffic blocked?


But you realize that this is a very very very stupid idea?

Re: Can an IPS system do this?

Moose wrote:

> Does anyone know of a product that can add extra functionaility to a
> firewall, or even replace the firewall, so that attacks like this can
> be automatically caught and the traffic blocked? A cisco engineer I
> know said that an IPS system is unlikely to be able to pick up this
> behaviour as suspicious, is he right?

This sort of thing?

ftp://shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.tx t

Jim Ford

Re: Can an IPS system do this?

Post removed (X-No-Archive: yes)

Re: Can an IPS system do this?

Jim Ford wrote:
> Moose wrote:
>> Does anyone know of a product that can add extra functionaility to a
>> firewall, or even replace the firewall, so that attacks like this can
>> be automatically caught and the traffic blocked? A cisco engineer I
>> know said that an IPS system is unlikely to be able to pick up this
>> behaviour as suspicious, is he right?
>
> This sort of thing?
>
> ftp://shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.tx t

*sigh*

When will people learn that automatic network shunning is a REALLY BAD
IDEA? Rate-limiting is a much better way to deal with this kind of
problem. If you can't avoid using passwords in the first place.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Can an IPS system do this?

Juergen Nieveler wrote:
> Trust me, you DON'T want any firewall to automatically create new
> blocking rules.
>
> What do you do if somebody sends spoofed packets at your firewall
> causing it to automatically block traffic to/from some important
> server?

Instantly lose connectivity?

cu
59-That was easy!-cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Can an IPS system do this?

On Apr 26, 9:08 pm, Ansgar -59cobalt- Wiechers
wrote:
> Juergen Nieveler wrote:
> > Trust me, you DON'T want any firewall to automatically create new
> > blocking rules.
>
> > What do you do if somebody sends spoofed packets at your firewall
> > causing it to automatically block traffic to/from some important
> > server?
>
> Instantly lose connectivity?
>
> cu
> 59-That was easy!-cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Yep, got the message loud and clear... I'll spend the effort instead
ensuring the servers and apps are fully patched and tied down as much
as possible.

Thanks to all.

Re: Can an IPS system do this?

Moose wrote:

> On Apr 26, 9:08 pm, Ansgar -59cobalt- Wiechers
> wrote:
>> Juergen Nieveler wrote:
>>> Trust me, you DON'T want any firewall to automatically create new
>>> blocking rules.
>>> What do you do if somebody sends spoofed packets at your firewall
>>> causing it to automatically block traffic to/from some important
>>> server?
>> Instantly lose connectivity?
>>
>> cu
>> 59-That was easy!-cobalt
>> --
>> "If a software developer ever believes a rootkit is a necessary part of
>> their architecture they should go back and re-architect their solution."
>> --Mark Russinovich
>
> Yep, got the message loud and clear... I'll spend the effort instead
> ensuring the servers and apps are fully patched and tied down as much
> as possible.


Hm... what about an IDS? After all, just because some companies think it's
funny to add a shoot-yourself-in-the-foot extension doesn't mean that the
idea of detecting suspicious behaviour would be a bad idea.

Re: Can an IPS system do this?

Post removed (X-No-Archive: yes)

Re: Can an IPS system do this?

On Apr 26, 11:38 am, Moose
wrote:
> Hi everybody,
>
> As we all know, if you have a normal firewall that allows certain
> traffic through to a public server then the firewall doesn't provide
> any protection for the server on those ports. For example, it doesn't
> realise that the same external IP address has been hammering away at
> the server for the past 3 hours trying to guess a valid username and
> password combination.
>
> Does anyone know of a product that can add extra functionaility to a
> firewall, or even replace the firewall, so that attacks like this can
> be automatically caught and the traffic blocked? A cisco engineer I
> know said that an IPS system is unlikely to be able to pick up this
> behaviour as suspicious, is he right?
>
> We have a basic budget of 5000 Euros to replace or augment our
> firewall, specifically to mitigate brute force attacks like this.
> Current firewall is a Cisco PIX 515E. I was thinking of maybe a Cisco
> ASA5510 with some add-on module or other, but if it won't help,...
>
> Any help is most appreciated.

You could keep your PIX, build an IPS/IDS from some FOSS and be almost
as secure as some banks... only difference, banks have managed IPS/
IDS, yours wouldn't be as much....

RedForeman