Since most firewalls 99% in MT, block wan to lan and wan to router traffic, what is the point of all the lists??
Probes are not blocked and probes are the main threat as they try and get a response from
anyone of 65K ports. Blacklists prevent probes from
known sources. Prevent the probes and that solves 99% of the issues. the other 1% is internal disciplines.
MOAB is a threat-centered approach whose effectiveness depends on how well and how often the blacklist and its associated responses are refreshed and updated -- in MOAB's case that takes place 3 times each day 7x24/365 – which in turn all depend in turn on the volume of threats a system has to deal with. Its estimated that 2 million new pieces of malware are emerging each month, keeping a blacklist updated now calls upon the gathering of threat intelligence from millions of devices and endpoints, using cloud-based services like FireHol ... MOAB's principle source.
The principal advantages of blacklisting lies in the simplicity of its principle: You identify everything bad that you don’t want getting into or operating on your system, exclude it from access, then allow the free flow of everything else. It has been and continues to be the basis on which signature-based anti-virus and anti-malware software operates. From a Firewall perspective MOAB block probes from over 639 million sources .... if a USER tries to connect to anyone of those 639 million sources MOAB will prevent that from happening.
For users, it’s traditionally been a low-maintenance option, as responsibility for compiling and updating a blacklist of applications or entities falls to the MOAB itself and its related databases, or to some form of third-party threat intelligence/service provider like FireHol
so for your b. lan users downloading a bot or some malware ( despite the lists above attempting to block users from visiting bad sites) NOW WHAT ?
If that bot comes from an UNKNOWN source THEN you are screwed ....BUT if one follows good security practices that will not happen .... most bots come from enticements originating in emails and/or hacked websites ...
many non-malicious bots are done by governments and legit entities who want to CONTROL your habits. ... and again if proper security practices are followed those event will not happen.
so for your c. How do we setup the router to detect/warn etc. that a PC has been compromised ??
The logging system should provide info ...
Known sources will be blocked .... unknown sources will not .... but everything depends on solid security practices via education .... 99% of users will avoid effective security practices because those practices are too restrictive to their freedom of access.