Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: tqbf () secnet com
Date: Sun, 15 Feb 1998 14:49:29 -0600 (CST)
You're right about firewalls, but possibly wrong about non-proxy IDS's. A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't be vulnerable to bugs in one. Suppose, for example, that a TCP segment
I see where you're coming from but do not agree. In order for a passive network IDS to actually work, it needs to do some level of protocol analysis over captured packets. The packets it captures are in part controlled by the attacker, and the attacker can modulate the contents of those packets in order to excercize bugs in the protocol analysis code. I'm following you here...
Clearly, the more closely an IDS mimics the behavior of an end system, the more vulnerable it is.
... but also adding that most "non-proxy" ID systems "mimic" the end-systems they watch closely enough to have software complex enough to contain bugs (but not close enough to accurately reconstruct sessions --- what a situation!). I guess I'd just like to be careful about saying that passive ID systems are resistant to attack; our paper didn't go into the "bugs" we found in the systems we tested (not within the scope of the paper and didn't have lasting importance); the ones we found just crashed the system, but that doesn't mean there aren't more serious problems. Of course, one solution here is to cut the transmit leads; that poses some manageability problems though. =) ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection marc (Feb 14)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection Steve Bellovin (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)