Re: Relevance of IDS Results to Stateful FWs

[tqbf () secnet com]

marc () snitf ct-net de Sun Feb 15 98

> I am sure, some _will_ do so. But not as sure as I am with an
> application proxy. There is the possibility that a packet filter
> or a stateful-whatever is quite similar to an IDS. "Similar" in the

...

> firewall. You can't play evasion tricks by overloading the packet
> filter because you have to go through the filter - that's fine - but
> with this scenario you are open to fragmentation attacks like

...

> So for me it's interesting to look on IDS technology and learn
> something about firewalls. Impressed by all the features some
> firewall vendors offer I sometimes went into an "everything goes"

Yeah, it's very interesting (to me) to think about the ramifications of
our work against other security technologies. I had hoped not to find
myself speaking up about this until my research work was done, but it
seems that the conclusion of "hey, stateful packet filters seem very
similar to a passive IDS embedded into a router" is going to be reached
independantly of me.

Oh well. Someone thank me and Tim if you come up with something good
before we do.

Anyways, that aside: there's a perspective (it's not necessarily valid)
that sees stateful filtering as a speed hack over transparant application
gateway firewalls. It would seem to me that anything that did enough
mucking about with the protocols in the traffic to be effectively an
end-system WOULD be a proxy; if you're not a proxy, you're something less
than one, i.e. you're basing security conclusions off of something other
than information obtained from (what we're considering) active analysis.

Who knows. Maybe we'll find out that some of the stateful firewalls we're
working with are basically akin to passive IDS engines rigged to packet
filters; something of a more tightly intergrated NetRanger system. I'd be
surprised if insertion and evasion couldn't be leveraged in that
situation.

As an example of what I'm getting at, has anyone tried Fyodor's "nmap"
tool (http://www.dhp.com/~fyodor) to scan through a stateful firewall and
seen what made it through? If something makes it through unexpectedly,
does this tell you something?

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"