Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Steven M. Bellovin" <smb () research att com>
Date: Sun, 15 Feb 1998 23:56:34 +0000
At 10:14 AM 2/16/98 +1100, Darren Reed wrote:
In some mail I received from Aleph One, sie wroteOn Sun, 15 Feb 1998, Steven M. Bellovin wrote:You're right about firewalls, but possibly wrong about non-proxy IDS's. A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't be vulnerable to bugs in one. Suppose, for example, that a TCP segment with all flag bits on would make a given TCP fall over. An IDS might or might not realize that such a packet was malicious. But if it didn't use TCP to process it, it wouldn't be harmed. Clearly, the more closely an IDS mimics the behavior of an end system, the more vulnerable it is. I made this point about firewalls with lots of proxies a few days ago -- the more functionality you have, the more vulnerable you are.I see what you mean. I guess my point was the any network program that accepts input from a possibly aggressive source may contains
vulnerabilities
in the code that processes such input. You are correct in that the obviously complex task of implementing a TCP/IP stacks is one such process with a greater chance of demonstrating such vulnerabilities but inasmuch that a network intrusion detection system processes this type of input they are at risk too.This raises the argument for using "secure" operating systems, which can potentially detect abnormal events in `sub-processes' which handle TCP, etc, and confine their ability to do damage.
Yes, but -- or, more properly, *BUT*. A "secure" operating system -- and I suspect that you used quotes for the same reason I did -- would indeed help. *BUT* we need a new definition of security. I've never seen a formal definition of "security" for a UNIX system. Informally, though, I'd say it's secure if a process operating as a non-privileged user (and by that I mean not root, bin, lpr, uucp, daemon, etc.) can obtain access to files that would not be permitted by a static examination of the state of the file system at the start of the operation. (There are lots of nits one can pick here, such as "what about the su command?" Please don't bother -- this is, as noted, an informal definition.) "Orange Book" systems follow a formal model of security: Bell-Lapadula. It's arguable if that model is really useful in today's world; it's much clearer that mandatory access controls don't add much to firewalls, and probably not to intrusion detection systems. Can one come up with a suitable definition? I don't know. I'm fairly sure, though, that it's not a trivial problem to come up with a definition that's both suitable and useful. (By "useless", I mean something like "ignores all packets with the EVIL bit set"...)
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection Steve Bellovin (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)