RE: Firewall and IDS, (the second way).

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

> -----Original Message-----
> From: Pedro Quintanilha [mailto:PQuintanilha () abril com br]
> Sent: 18. ozujak 2002 21:41
> To: vuln-dev () securityfocus com
> Subject: RE: Firewall and IDS, (the second way).

> - IP Ban (drops, ICMP unreachables)
>
>       Another good method to detect the presence of a nIDS. 
> Some administrators configure nIDSs to act on Firewalls (f.e. 
> OPSEC) to block any traffic from a IP that is source of a 
> flood of many kinds of packets, like ICMP flood, port-scans, 
> etc. So, if you want to detect it, you just need to generate 
> a flood, and capture the return packets. If you suddenly 
> start to receive ICMP port/host/net unreachabes, or stop to 
> receive target host´s responses (ACKs, ICMP Echo-Replies, 
> etc), then you probably hit a nIDS.

Correct me if I'm wrong, but IDS will act upon firewall which will at the
end change it's ACL. So it's firewall who will cut your ability to connect
to other host and I don't think you are able to receive any packet from NIDS
- only one who should receive something is firewall.

> - Active scans
>
>       This is a rare "proffessional" nIDS behavior, but can 
> be made if programed by a curious administrator. Once again, 
> just send some common signatures, and capture the return. If 
> it starts to scan you, you have now, and again, the above 3 
> information, with another great plus: You have SYN packets 
> sent by the nIDS and your OS guessing will be mutch more accurate.

Yeah, this method is very unlikely to be implemented. Besides, I think that
scanning is not considered to be legal so administrator should not implement
this at all on their NIDS devices.

> - Promiscuous-Mode Device Detection
>
>       Technically possible, but rarely usefull. I think that 
> it´s possible in a local network, where you know what is the 
> bandwidth behavior. Any other use, like using it on the very 
> instable and non-guaranteed Internet connections is, in my 
> opinion, a great fantasy.

Agree, especially with some devices like Cisco NetRanger which has 2 NICs in
it - one for communication with manager and other for sniffing network
traffic. That other card, which actually does sniffing is practically
undetectable.
OTOH, intruder can probably identify this type of Sensor by it's other NIC -
Cisco has Solaris 8 for x86 on boxes with are usually protected only with
tcpwrappers.

Anyway, pretty interested methods. Although most of them are obvious, they
didn't come into my mind at the first moment. :)

Best regards,

Bojan Zdrnja

<<attachment: winmail.dat>>