Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Adam Shostack <adam () homeport org>
Date: Wed, 18 Feb 1998 17:01:53 -0500 (EST)
Kurt Ziegler wrote: | >>>One other big win that Darren Reed identified at Usenix was that a proxy | >>>IDS can't drop packets. You can't overload it and sneak packets past | that | >>>way. If the IDS can't read the packet, it doesn't get proxied. | >>> | | *** you can not sneak packets by a sniffer-based tool either (anything that | gets by is a bug and needs to be fixed). The Sniffer based IDS sees ALL the | traffic that runs over the network and can identify the same abnormalities | as the proxy and sees traffic that proxy may not see. If the sniffer's packet queue is overloaded, it misses things. If a proxy's queue is overloaded, it drops packets. To expand: Assume a system running a 1 mip with a small memory that can hold 100 packets for processing. If processing each packet takes 10,000 instructions, then the IDS can process a packet in 1/100 of a second. If it gets 200 packets in a second (spread evenly in arrival time), then after 1/2 a second, it has processed 50 packets, and has 50 more in the queue. If this continues for another half second, it will have processed 100 packets, and have 100 packets in the queue. If trafic flow continues, it will, in the next half second, process 50 of the messages in the queue, and need to maintain a queue of 150 packets, which exceeds its memory size. The above machine is small because I like engineering on small machines. (Moore's law protects us from all sorts of hard work..)The example clearly scales to 500 mip machines with gigs of ram and fast ethernet. If this is a proxy, it can choose to 1: drop pcakets or 2: send them on unmolested (ignore them). If this is an IDS, the drop packet option is different. Adam Disclaimer: Netect is building a sniffer based IDS. I work for Netect. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 18)
- Re: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 18)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
- Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)