Classnotes | UNIX03 | RecentChanges | Preferences We learned that IP Chains is what is known as a stateless firewall, meaning that each set of packets for filtration is treated independantly of the other packets. We have also learned that IP Tables is what is known as a stateful firewall, in that it can contain rules dictating how to deal with groups of packets. This does add much needed functionality to our firewall, but still does not assist us in preventing the most common types of brute-force attacks.
Port scanning
You probably know at least a little bit about port scanning (and we will learn more about it), but the basic idea is that you run through a list of known ports, checking each one for an active service. Most often, a port scanner will be some sort of automated process that runs through the ports unchecked and very quickly. Sometimes this scanner will be hard to track down as it will not scan the ports in any sequential manner what-so-ever.
An Adaptive Firewall is one which detects strange behaviour such as this, and attempts to block an IP (or range of IPs) during an attack, effectively cutting off the attacker from the rest of our ports. An Adaptive Firewall can be placed on a system that must be exposed to the world (for example a Web server) because it will not block all IP traffic to and from the server, just highly suspect traffic.
The idea of an Adaptive Firewall first became popular in 1999. At present, there are literally hundreds of different techniques which result in some form of adaptive firewall, and there are many comercial products which provide this type of functionality ([the Sun Cobalt Cube 3 comes to mind]). What we will be doing today is very simple, yet very powerful, and is taken directly from the book (Chapter 14). However, there are a number of alternatives you might wish to be aware of:
