Re: [nsp] IDS shunning

From: Travis Pugh (tdp@discombobulated.net)
Date: Wed Mar 20 2002 - 08:25:25 EST

Next message: Neil J. McRae: "RE: [nsp] IDS shunning"
Previous message: pankaj: "[nsp] is this cisco2912XL 's bug or else."
In reply to: Hank Nussbacher: "[nsp] IDS shunning"
Next in thread: Robert E. Seastrom: "Re: [nsp] IDS shunning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

According to "Hank Nussbacher" <hank@att.net.il>:

> If I understand correctly, shunning is basically setting up an
ACL on the
> adjacent router to block the bad traffic. The IDS box doesn't
telnet into
> the cisco router every time it needs to do a change. The IDS
box sets up a
> permanent telnet session that doesn't timeout and sits logged
in to the
> router 24x7! Then it automatically sets up the ACL.
>
> Does anyone actually do this?!

It will also establish connectivity with a PIX via telnet or ssh
and do the same thing ... as to actually implementing it, I would
hope not. The potential for DoSing yourself with false
positives, whether naturally occuring or done maliciously with
spoofed headers, just seems too high to let your NIDS start
writing ACLs on the fly.

cheers.

-travis

Next message: Neil J. McRae: "RE: [nsp] IDS shunning"
Previous message: pankaj: "[nsp] is this cisco2912XL 's bug or else."
In reply to: Hank Nussbacher: "[nsp] IDS shunning"
Next in thread: Robert E. Seastrom: "Re: [nsp] IDS shunning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:38 EDT