Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Darren Reed <darrenr () cyber com au>
Date: Mon, 16 Feb 1998 10:14:23 +1100 (EST)
In some mail I received from Aleph One, sie wrote
On Sun, 15 Feb 1998, Steven M. Bellovin wrote:You're right about firewalls, but possibly wrong about non-proxy IDS's. A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't be vulnerable to bugs in one. Suppose, for example, that a TCP segment with all flag bits on would make a given TCP fall over. An IDS might or might not realize that such a packet was malicious. But if it didn't use TCP to process it, it wouldn't be harmed. Clearly, the more closely an IDS mimics the behavior of an end system, the more vulnerable it is. I made this point about firewalls with lots of proxies a few days ago -- the more functionality you have, the more vulnerable you are.I see what you mean. I guess my point was the any network program that accepts input from a possibly aggressive source may contains vulnerabilities in the code that processes such input. You are correct in that the obviously complex task of implementing a TCP/IP stacks is one such process with a greater chance of demonstrating such vulnerabilities but inasmuch that a network intrusion detection system processes this type of input they are at risk too.
This raises the argument for using "secure" operating systems, which can potentially detect abnormal events in `sub-processes' which handle TCP, etc, and confine their ability to do damage. Darren
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection Steve Bellovin (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)