[54] in Intrusion Detection Systems
RE: Www
daemon@ATHENA.MIT.EDU (Heiser Jay)
Mon Apr 3 14:02:39 1995
Date: 3 Apr 1995 09:01:49 -0500
From: "Heiser Jay" <heiser_jay@po.gis.prc.com>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Yes, the firewalls list would be a better place to get more detailed info on
this.
Quick answer: Without getting into a big debate on the merits of packet
filtering vs proxy servers, the Firewall-1 product from CheckPoint Software is
clever enough to make allowances for this situation. It keeps track of
outgoing requests & allows the incoming request to get through, which is not
something that a filtering router can do.
________________________________________________________
From: ids@uow.edu.au on Mon, Apr 3, 1995 8:34 AM
Subject: Www
To: ids@uow.edu.au
I noticed that when an internal user uses a Mosaic or Netscape client to access
a web server outside of the firewall, the www client uses anonoymous ftp to
fetch some items back. Most of the time there is no problem, but sometimes the
firewall sees the connections as ftp being attempted from outside, which it is
supposed to block, then generates alerts.
The problem is that in terms of trying to detect intruders, I can't tell the
difference between the ftp connections coming back as a result of web
connections and those that are really someone trying to find a port they can
connect to.
Any suggestions on how to deal with this?
Does this question belong in firewalls@greatcircle.com?
Brian Smith
DOS Dummy
------------------ RFC822 Header Follows ------------------
Received: by po.gis.prc.com with SMTP;3 Apr 1995 08:27:39 -0500
Received: (from daemon@localhost) by wyrm.cc.uow.edu.au (8.6.10/8.6.9) id
PAA12753 for ids-outgoing; Mon, 3 Apr 1995 15:53:26 +1000
From: brian.smith@morebbs.com
Message-ID: <9504010907.0CT6P00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/PIMP v3.34/PRIMP 1.56p
Date: Sat, 01 Apr 95 09:07:08
Subject: Www
To: ids@uow.edu.au
Sender: owner-ids@uow.edu.au
Precedence: bulk
Reply-To: ids@uow.edu.au
