Re: Important Comments re: INtrusion Detection

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Aleph One, sie wrote
> On Sun, 15 Feb 1998, Steven M. Bellovin wrote:
> > You're right about firewalls, but possibly wrong about non-proxy IDS's.
> > A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't
> > be vulnerable to bugs in one.  Suppose, for example, that a TCP segment
> > with all flag bits on would make a given TCP fall over.  An IDS might
> > or might not realize that such a packet was malicious.  But if it didn't
> > use TCP to process it, it wouldn't be harmed.  Clearly, the more closely
> > an IDS mimics the behavior of an end system, the more vulnerable it is.
> > I made this point about firewalls with lots of proxies a few days ago --
> > the more functionality you have, the more vulnerable you are.
>
> I see what you mean. I guess my point was the any network program that
> accepts input from a possibly aggressive source may contains vulnerabilities
> in the code that processes such input. You are correct in that the
> obviously complex task of implementing a TCP/IP stacks is one such process
> with a greater chance of demonstrating such vulnerabilities but inasmuch
> that a network intrusion detection system processes this type of input
> they are at risk too.

This raises the argument for using "secure" operating systems, which can
potentially detect abnormal events in `sub-processes' which handle TCP,
etc, and confine their ability to do damage.

Darren