FireBlock thwarts inside threats before they hit
Imagine having an employee whose only job is to monitor the secure servers and directories behind your firewall and immediately thwart any attempt to access them. Well, swap “device” for “employee” and shake hands with a new kind of security appliance that can significantly reduce your exposure to the risk of internal users accessing unauthorized resources–one of the hardest security problems to guard against.
Palisade Systems’ FireBlock is the only product I’ve seen that can actually stop unauthorized connections as they’re attempted. The device sits wherever you want it on a network segment; next to a firewall or in front of a server farm are good choices. Each device includes two network adapters. With one adapter, the device passively examines packets’ source and destination addresses and TCP ports. When it sees a connection from or to a destination and port that you have not previously authorized, it sends a reset packet out via the other adapter to the client or device that originates a connection, forcing the connection to drop. Palisade owns a patent for its unique technique of passive network traffic blocking.
Lots of network monitoring applications can passively monitor and log packets. The problem with these other monitoring products is that gleaning valuable information from the logs they produce is like trying to find a politician with scruples. Even worse, once you’ve learned what you need to, you then have to know what action to take to prevent future intrusions–if the damage has not already been done. FireBlock disconnects intrusion attempts in real time.
Palisade also offers an appliance called SmokeDetector that acts as a decoy to attract attacks. It can emulate the IP responses of eight different operating systems, and you can set a single appliance to mimic as many as 19 hardware configurations. Because there’s no legitimate reason to access a SmokeDetector, any attempt to access it indicates at worst an attack, at best an overly curious user. The device logs all attempted accesses and sends alerts to administrators.
Both FireBlock and SmokeDetector are managed by Palisade’s FireMarshal software. FireMarshal queries a domain controller to get the local TCP/IP addresses. Using a graphical interface, you use the addresses to set rules for FireBlock. You can group addresses into what Palisade calls enclaves, so you can manage by address or by group. FireMarshal can control multiple FireBlocks and SmokeDetectors.
While Palisade’s products are a quantum leap in capability for protecting internal resources, they’re still at an early stage of development, but the company knows where it needs to improve. For instance, FireMarshal’s rules assume you’re using static IP addresses. If you use DHCP to assign internal IP addresses, you need to create rules based on ranges of IP addresses, and make sure your DHCP server assigns addresses using the same range assumptions. Future versions will take DHCP into account. They’ll also be able to interface with LDAP servers to take directory information into account when creating rules.
A firewall can’t do what FireBlock does. It can limit access to segments of your network, but it doesn’t have the fine-grained control to limit access to specific resources to just certain IP addresses using specified ports. While a firewall does passive monitoring and blocking, FireBlock does passive monitoring and active blocking. Even intrusion detection software can only notify you of trouble.
Securing resources from improper internal access is a common headache for IT departments. FireBlock may be the cure.
Articles | Administrator | 
Wednesday, April 24, 2002 12:00 pm
Subscribe