RE: [Snort-users] Country blocking?
This is a discussion on RE: [Snort-users] Country blocking? within the Snort forums, part of the System Security and Security Related category; Matt, I can kind of see your point too. However, a properly conigured Proxy Server would help out along with ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-19-2005
|
|||
|
|||
RE: [Snort-users] Country blocking?
Matt,
I can kind of see your point too. However, a properly conigured Proxy Server would help out along with a good firewall and of course Snort. As for myself, I would actually benefit from this kind of rule set. I mean, there are the homepages I look at everyday religiously. securitynewsportal.com (Follow the Hampster!) moby.com (The pig likes music) cnn.com (Waiting for the next attack) sportsillustrated.cnn.com/basketball/ncaa/ (Need basketball!) snort.org (Need updates) snort.gr.jp (In Japanese) internetsecurityguru.com/ (Patrick rules!) sourceforge.com redhat.com (Must have fun) www.cert.org microsoft.com (Must know about those patches) slastdot.org (Must relax) uiuc.edu (Illini are #1 in B-ball now!) yahoo.com/r/m1 google.com (must look up English words) In my case, it would be better to just deny all and then only permit those sites. Shoot, I don`t even look at my own company homepage! I should just use ISA 2004 server along with Snort and then life would be easy. The only problem I would have would be with google. In this way, I could build an entire stone bubble around me and just poke out a few holes to see what I want to see. Then configure Snort to generate an alert if any traffic comes in from any other site. Should be easy. I will try it when I go home since I got the software there. Theo --- Matt Kettler <mkettler@evi-inc.com> wrote: > At 09:30 AM 1/18/2005, Donofrio, Lewis wrote: > >Anything from RIPE.NET could be blocked as far as I > can tell.... > > Just curious.. do you work for Verizon? > > http://www.theregister.co.uk/2005/01...n_email_block/ > > Let's face it, from a security perspective > geographic regions are a > particularly lousy category for blocking. Most US > companies have overseas > branches, and many "US" companies actually host > their websites, > mailsystems, etc in their foreign branches, or > outsource them to foreign > hosting firms. > > Currently I'm seeing most of my spam and network > attacks originating from > DSL, cable and dialup nodes in the US. AT&T, ALGX, > comcast, roadrunner and > verizon, are all FREQUENT sources of attack, and > collectively represent > about 50% of my attack volume. From that > perspective, the safest approach > is to block all end-users from being able to access > my systems. > > Sure, if you're a US company, mostly doing business > with other US based > interests, most of your useful traffic is going to > come from the US, and > conversely, very little from outside of it. > > It might be tempting to just drop whole regions of > the world, but let's > face it, you're not buying yourself anything. It's > like putting a > west-facing wall outside a building, with no other > sides to it. The enemy > just has to walk around the wall and come from the > south. Were this a > battlefield you might have bought yourself some > extra time to bombard them > with artillery. However in network attacks they'll > just go away and come > back an hour later from another IP, and you'll have > very little idea it's > the same attacker. They can certainly come back fast > enough that you won't > have had time to do anything to the actual person > that is the source of the > attacks. > > You're closing yourself off to attacks launched from > machines in one > country, but who cares when your average Joe can buy > a zombie net of > thousands of US based home user machines. You're > still as vulnerable to > attack as you were before, you've only limited the > angle they have to come > from. > > > > > > > ------------------------------------------------------- > The SF.Net email is sponsored by: Beat the > post-holiday blues > Get a FREE limited edition SourceForge.net t-shirt > from ThinkGeek. > It's fun and FREE -- well, > almost....http://www.thinkgeek.com/sfshirt > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
