1. Home
  2. Networking Firewalls
  3. Can an IPS system do this?

Can an IPS system do this?

Hi everybody,

As we all know, if you have a normal firewall that allows certain traffic through to a public server then the firewall doesn't provide any protection for the server on those ports. For example, it doesn't realise that the same external IP address has been hammering away at the server for the past 3 hours trying to guess a valid username and password combination.

Does anyone know of a product that can add extra functionaility to a firewall, or even replace the firewall, so that attacks like this can be automatically caught and the traffic blocked? A cisco engineer I know said that an IPS system is unlikely to be able to pick up this behaviour as suspicious, is he right?

We have a basic budget of 5000 Euros to replace or augment our firewall, specifically to mitigate brute force attacks like this. Current firewall is a Cisco PIX 515E. I was thinking of maybe a Cisco ASA5510 with some add-on module or other, but if it won't help,...

Any help is most appreciated.

Reply to
Moose
Loading thread data ...

Who cares?

But you realize that this is a very very very stupid idea?

Reply to
Sebastian G.

This sort of thing?

ftp://shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt

Jim Ford

Reply to
Jim Ford

Trust me, you DON'T want any firewall to automatically create new blocking rules.

What do you do if somebody sends spoofed packets at your firewall causing it to automatically block traffic to/from some important server?

Juergen Nieveler

Reply to
Juergen Nieveler

*sigh*

When will people learn that automatic network shunning is a REALLY BAD IDEA? Rate-limiting is a much better way to deal with this kind of problem. If you can't avoid using passwords in the first place.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Instantly lose connectivity?

cu

59-That was easy!-cobalt
Reply to
Ansgar -59cobalt- Wiechers

Yep, got the message loud and clear... I'll spend the effort instead ensuring the servers and apps are fully patched and tied down as much as possible.

Thanks to all.

Reply to
Moose

Hm... what about an IDS? After all, just because some companies think it's funny to add a shoot-yourself-in-the-foot extension doesn't mean that the idea of detecting suspicious behaviour would be a bad idea.

Reply to
Sebastian G.

Yep. An IDS sensor on a mirrored port (or hub port - most companies don`t have THAT fast Internet connections anyway) will at least tell you HOW somebody attacked your machine, which is a great help.

Juergen Nieveler

Reply to
Juergen Nieveler

You could keep your PIX, build an IPS/IDS from some FOSS and be almost as secure as some banks... only difference, banks have managed IPS/ IDS, yours wouldn't be as much....

RedForeman

Reply to
RedForeman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.