Intrusion Detection recommendations

Jimmy Hess mysidia at gmail.com
Sun Feb 15 00:19:20 UTC 2015


On Sat, Feb 14, 2015 at 12:04 PM, BPNoC Group <bpnoc.lists at gmail.com> wrote:

The thing to note about ipfw, is it only provides you with essentially
5-tuple based access lists based on source and destination, as this
functions strictly by looking at packet headers.        There's no
ipfw rule you can make that will tell ipfw to Allow outgoing port 80
connections, but only if the protocol is HTTP.      Don't allow
outgoing SMTP or SSH connections over port 80.

Often....  for a network with endpoints, almost everything outbound
you want to allow will be going out on port 80 or 443,   And  almost
everything outbound you need to reject will also be going out on port
80 or 443.

If the syntax is a challenge for you at all, there are tools such as
fwbuilder, or
PfSense  appliance with web GUI  that can be used to construct the
configuration..

The sticking point with pf, or iptables, or whatever you use should
not be the syntax or the command language.

But the question of  *what*  to allow,   and how to appropriately
structure that choice/requirement of what to allow   in order to
ensure the applications work correctly and minimize the exposure.

This is not strictly a matter of coming up with rules or language
syntax,  but if done right includes  analysis and reconfiguration  of
applications in  order to  ensure  that legitimate traffic is as
predictable and well-understood as possible.


For example...  Since 80 and 443 are such trouble,  you might
structure the "allow"  by setting up a suitable proxy server on LAN,
require all clients to use it,  and on the  ipfw device it is strictly
a "Deny all".



> Are we really talking "ipfw add deny udp from any to any 123 not in via
> $lan" where?
>
> Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j
> DROP"?
--
-JH



More information about the NANOG mailing list