It always seemed reasonable for to drop packets from hostile networks in baseline firewall configs. Even as early as a 5 years ago a large portion of the attacks (both network and application layer) were coming from a small number of networks. That really has not changed. All my firewall configs have a growing number of netblocks that just get dropped on the floor.
What has changed is the relative percentage of successful application layer attacks versus network layer attacks. So if you can drop the packet that's good, but sometimes it's not good business.
While I still feel that it's an important dimension to drop the packets from hostile networks, it's even more important these days to invoke defensive business logic at the application layer when application requests are originating from those same hostile networks.
For example, if I'm linked off an ebay storefront and I'm getting some lusers from middle America that have quietly owned servers in north korea trying to ddos me....that's a no brainer. On the other hand if those same users have owned systems in...say...Brazil...maybe I don't drop the packets, but build more robust business process into the requests for service coming from that part of the world.
--
How do you know the relative hotility of a given network / geographic location?. Just ask the excellent people at the honeynet project. More details to come.
-
Posts
No comments:
Post a Comment