Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Bret Watson <lists () bwa net>
Date: Sun, 15 Feb 1998 12:39:24
At 12:09 14/02/98 -0600, you wrote:
Believe it or not, the proxy solution actually solves quite a number of problems. I spent about 40 minutes yesterday trying to explain to Kurt Ziegler at AbirNet (who steadfastly believes that there's no difference between a sniffer and a proxy [after all, they see the same packets!])
hmmm makes me wonder how they can sell a firewall if they don't know what a proxy does... or perhaps this is marketing hype - they seem good at that...
A proxy gateway has the distinct advantage of being a connection endpoint. In the terminology I've been using lately, I'd say that a proxy-sniffer is an ACTIVE (not passive) monitor. Say we have hosts A (the attacker), B (the proxy monitor), and C (the target). When A sends a packet to C, in a proxy configuration, it actually winds up sending the packet to B. B does NOT simply forward the packet to C; rather, it interprets the packet, figures out what it thought host A meant by the packet, and then sends host C a NEW packet REPRESENTING WHAT IT THOUGHT HOST A MEANT.
forgive me if I've read this wrong - but this sounds like a app proxy firewall does it not? OK its a firewall with much better alarming and logging. But in normal security (I mean physical) an IDS is a detection system - it does not provide a major response, though it may assist in the apprehension phase. What I can see here is a transparent proxy IDS sitting on the wire proxying all the packets, but not attempting to fit them against rules, just passing them through the proxy layers Think of a App Proxy firewall with ANY to ANY rule set to allow. This would permit normal traffic, and allow faster throughput. As a proxy it could alarm when suspicious packets arrive (like badly created ICMP packets or cronicly overlapped packets). BUT it would not try and fix the packets - if anything this is the firewall's job, otherwise it would be easy to do DOS by sending bad packets down the stream - the IDS would spend al its time trying to fix them.... This will cut down the attacks via TCP stacks, but still not handle the problem of 'conventional' attacks - via buffer overflow etc. It seems we are still stuck with the pattern matching method - one that will always be one step behind. Look at the virus detection industry - we still don't have automatic recognition and removal there <insert conspiracy theories here>. Cheers, Bret Technical Incursion Countermeasures consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html
Current thread:
- Important Comments re: INtrusion Detection tqbf (Feb 13)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)