IDS mailing list archives
Re: RE: IPv6 support in IDS/IPS products
From: David Williams <dwilliamsd () gmail com>
Date: Wed, 9 Nov 2005 18:11:22 -0500
First, if you're doing security you should NEVER "assume" anything. That's a sure fire way to NOT get what you want out of a product. Second, the U.S. Government has lots of checkboxes. Common Criteria, FIPS 140, etc. IPv6 can be viewed as a checkbox if you don't ask the right question, which is why I specifically am interested in not on the ability to "detect IPv6", but to actually properly decode IPv6, all the IPv6 methods, IPv6 tunnels, and other weirdness that I probably don't know about. We never ask enough questions about the ways our vendors implement these requirements and it gets us in trouble. For example, in IPv4 a typical header is normally 20bytes, but could be slightly larger, let's say 60bytes. Not a big deal for most people, and even old ASIC technology can handle 64 byte headers. But, a normal IPv6 header with options, and tunneling, could easily exceed the 64 byte header length, since it's arbitrary. A smart hacker could add enough options and tunnels to extend the header length to well past 1K (assuming a large MTU). I seriously doubt most vendors have accounted for this. So, when Cisco claims "enhanced visibility", I note that they did NOT answer my question specifically, and they don't go into any details about how they do it. The phrase "we detect IPv6" is not the same as the answer given by ISS & NFR. I'd like to actually more fully explore those answers, which I will do once I create a Matrix from vendors that give an appropriate response, because I STILL don't believe them. People ask questions around buzzwords, they get an answer, and then don't follow up with more detailed questions, because they assume vendors are doing the right thing... when in reality, many vendors will simply do "just enough". Sorry for the rant... I've gotten burned by making "assumptions". -d On 8 Nov 2005 00:34:12 -0000, barcajax () gmail com <barcajax () gmail com> wrote:
I think its safe to assume that most of the IDS/IPS products support IPv6 because its a U.S. government requirement if I'm not wrong. From personal experience, nfr Sentivist is IPv6 aware. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IPv6 support in IDS/IPS products, (continued)
- RE: IPv6 support in IDS/IPS products Mike Barkett (Nov 03)
- Re: IPv6 support in IDS/IPS products Planz (Nov 07)
- Re: IPv6 support in IDS/IPS products David Williams (Nov 07)
- RE: IPv6 support in IDS/IPS products Scott Sloan (Nov 09)
- RE: IPv6 support in IDS/IPS products Mike Barkett (Nov 09)
- RE: IPv6 support in IDS/IPS products Scott Sloan (Nov 09)
- Re: IPv6 support in IDS/IPS products Jim Bauer (Nov 10)
- Re: IPv6 support in IDS/IPS products Mike Frantzen (Nov 10)
- Re: IPv6 support in IDS/IPS products Planz (Nov 07)
- RE: IPv6 support in IDS/IPS products Mike Barkett (Nov 03)
- Re: RE: IPv6 support in IDS/IPS products David Williams (Nov 10)