Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (IDS)
From: David Lang <dlang () diginsite com>
Date: Sat, 4 Jul 1998 14:40:58 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- make your firewall do the packet reassembly, leave your IDS in passive monitoring so that it does not become the object of an attack. David Lang On Wed, 1 Jul 1998, Kjell Wooding wrote:
Date: Wed, 01 Jul 1998 12:28:00 -0600 From: Kjell Wooding <kwooding () codetalker com> To: Ryan Russell <ryanr () sybase com>, tqbf () pobox com Cc: firewall-wizards () nfr net Subject: Re: Proxy 2.0 secure? (IDS) [I think I'll butt into the middle of this, albeit on a bit of a sidebar]This attack was a recent discovery, and I have seen no literature (our IDS paper excluded) that explored the ramifications of this type of attack.I imagine the IDS vendors will have to start assembling fragments, and checking for valid frag pointers. Are you implying that they can't, won't, or it's too hard?As pointed out in the IDS paper, this would require the IDS to reassemble the *same* fragment stream in many different ways to simulate the behaviors of the various TCP/IP stacks out there. This is extremely time consuming (in a real-time monitoring scenario) and requires intimate knowledge of all the Stack flavors protected by the firewall. Seems to me you could greatly reduce the impact of this sort of attack by combining packet reassembly capability into your IDS, and making it an active choke between the outside world and the firewall. This would provide a clean packet stream (free of fragments) that have been reassembled in a consistent manner, making life easier for both the firewall (especially an SPF) and your IDS (which only has to reassemble the fragments in one way). Incidently, changing the role of the IDS from a passive monitor to an active choke also addresses the "fail open" behavior of traditional IDS's -kj -- Kjell Wooding <kwooding () codetalker com> Codetalker Communications, Inc. For the latest Infosec News, see http://www.codetalker.com/
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNZ6hbT7msCGEppcbAQFnKgf/R1lz7pAURDT0H3EWcy76fZnVQ+dL3sdj Lei5MCIV164jZXG2EPTDcB2BP5IzLjhdt9md1joPPOoSfzrh7djVcLpIUM8nEkPI BV7x0hyMQ1i5HVbOK1AFeBHVtwt7RRxnl7RU5fGKOKmK27Iw8RRi+16Fry6y3lIW EcSbrddfgyWJxmVRTqTPBqpDOQR4ALIPt0MZxZ6pz0cBjp0zoiVYcl3zZtQWkElQ tEM5VYZ1oT4QoqC/BJ15qmpb36YrYhaLT7OCiCKM2mruCH5ERBakohpALRAddqjM IPn0wvaApf4YOWjgM7pYbRqDeCDs/TJDJAIcQ5fhrMeDr889jAbhFw== =UNDX -----END PGP SIGNATURE-----
Current thread:
- Re: Proxy 2.0 secure? (IDS) Kjell Wooding (Jul 02)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (IDS) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- RE: Proxy 2.0 secure? (IDS) ICMan (Jul 03)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)