Re: Important Comments re: INtrusion Detection

[Darren Reed <darrenr () cyber com au>]

In some mail I received from marc () sniff ct-net de, sie wrote
> Darren Reed <darrenr () cyber com au> wrote:
>
> > One conclusion from this is might be that  an IDS is only truely
> > possible if implemented as a proxy gateway of sorts or otherwise
>
> I agree with proxies ...
>
> > performs as a mediator of packets as a firewall might be expected
> > to do.  Do you agree with this ?
>
> ... but I wouldn't expect every stateful firewall to rebuild the
> IP or TCP Headers (is there _any_ stateful firewall doing so?).

And why is that ?  They damn well should be (or at least attempting
to ensure that only the right information gets through).  It's
interesting to see comments like this which basically say that
packet filtering firewalls are inherently less scure than proxy
based ones.

IP packets can be rebuilt at firewalls, doing packet filtering, but
it can be construed to be a `bad thing' on the principle that gateways
(or routers) don't reassemble fragments and just pass packets on.

I wonder how FW-1 would stack up to the sort of tests that SNI put
the various IDS systems through.

> With "rebuild" I am thinking of a firewall picking out all relevant
> information but not the redundant one (like checksums) and send out
> an IP packet with a copy of the relevant stuff and a checksum
> calculated on its own (and header length, and reserved bits = 0,
> and ...). If the firewall doesn't, the insertion attack will
> still work.

The problem here is that as soon as that reserved bit is allocated to
a use, your firewall needs updating.  If you examine IP packets by hand,
you'll find that there is very little redundant information, also checksums
are known to be one of the more expensive parts of routing IP packets,
being able to modify them simlpy is much better than total recalculation.

Darren