Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: tqbf () secnet com
Date: Mon, 16 Feb 1998 20:15:18 -0600 (CST)
Hmmm, I've not thought all of this completely through yet, but how much 
of the original "doesn't work for IDS" stuff is valid if the IDS is on a 
chokepoint swtich with a promiscuous port, and every other device on the 
switch (just routers I'd guess) is on a port where only packets from their MAC


We lose one very small section of the paper (and one that I wish, in
retrospect, I hadn't put in) dealing with the ramifications of MAC address
forgery. The vast majority of the attacks we outlined can be performed by
a remote attacker in, say, Estonia, even if her ISP blocks forged packets.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"
Previous By Date Next
Previous By Thread Next

Current thread: