Date: Fri, 6 Jun 2003 10:34:19 +0200 From: "Kristian Rask" <krask@isupport.dk> To: <FreeBSD-net@FreeBSD.org> Subject: Choices for security Message-ID: <007601c32c06$9e242260$0a01a8c0@example.lan>
next in thread | raw e-mail | index | archive | help
Hi In the ongoing saga a new question arises... Presently the system is configured as follows 100 MBit WAN <--> FreeBSD Gateway <--> /28 DMZ-Net incl. 2 MS-IIS ipfw is used to make basic protection for the Windows 2000 / IIS servers ipfw is used kill setups from certain IP's to DMZ/28 80,443 snort is listening for 80,443 setups on DMZ and logging to a MySQL = server A script at regular intervals asks MySql for identical src-ip's that = returns more than LIMIT records.=20 The script then produces ipfw rules and inserts them. After this the = script removes all previously registered records from the database (so that the DB = doesnt keep growing) The script does a "ipfw show" and looks at the relevant records for nr = of attempt and traffic amount. Based on this the script removes records = from the rulesets when traffic drops to a certain level.=20 ipfw zeroes the relevant blocking rules so that a new period of traffic = measuring and blocking can start All of the above is being done at the moment and most of it is automatic = by now. However it seems to me to be overkill ....=20 Does anyone have an idea as to how one measures the IP traffic types in = realtime ?=20 Another thing that has me wondering is something that would look kinda = like route aggregation... like... if i have more than X registrations of certified bad boys pr. Y = bits of network.. i would like to detect this and recreate a network rule instead of a handfull of host = rules.. eg.: If i detect say 16+ rules belonging to the same /24 then i would like to = detect this and replace the 16+ rules with 1 rule for the entire /26. = The basic idea is to reduce the number of rules in the firewall for = performance reasons. Reviewing the last 3 days log files of ipfw rules shows a lot of cases = where 10 - 20 machines came from a very narrow range of IP's. I'm not asking anyone to invent the above... but if somebody has = pointers to algorithms that will work well in the above scenario, i = would be gratefull to know about them. any and all input on the problem much appreciated.. Regards & TIA Kristian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007601c32c06$9e242260$0a01a8c0>