Arthur Frank wrote:
> I see that Art ("The Original") is big into BlackICE. What does this
> product do that ZoneAlarm does not? What about other PC-based
> firewalls?
I've used McAfee's Personal Firewall Plus for a couple years, but now
have a NAT-capable router back-ending the cable modem. I've now got one
machine to read the logs out of it and make hourly reports to DShield.
I've also used Back-Officer Friendly, a little mini-honeypot that will
log and report various services (telnet, ftp, ssh, http, https) along
with the original purpose, Back Orifice infected systems.
At UTC we use a Cisco PIX, and some fairly complex ACLs on our routers
to keep out obvious intrusions, but results in the occasional collateral
damage. Plus some rate-limiting of UDP/ICMP and identifiable P2P
traffic (we block on campus, but allow some bandwidth for the dorms).
We also run several tarpits in "strategic addresses" to hold off many
port scanners and virus attempts. We have had close to a million hits
in 24 hours there.
We also do statistical analysis of ARP requests, if we have an unusually
high number of requests from an address, the port is shutdown. Very
effective against local scanning operations or nailing ettercap/dsniff
machines (unless they are really passive or filtered).
But hooking a windows box to a cable modem is an accident waiting to
happen. SANS/ISC warns that an unpatched XP box cannot be registered
and updated before it is infected, and I believe it. We have a
relatively large address space, and I see the stats. It's nasty :-(
Jeff
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
