Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: Bret Watson <lists () bwa net>
Date: Sun, 15 Feb 1998 12:39:24
At 12:09 14/02/98 -0600, you wrote:


Believe it or not, the proxy solution actually solves quite a number of
problems. I spent about 40 minutes yesterday trying to explain to Kurt
Ziegler at AbirNet (who steadfastly believes that there's no difference
between a sniffer and a proxy [after all, they see the same packets!]) 


hmmm makes me wonder how they can sell a firewall if they don't know what a
proxy does... or perhaps this is marketing hype - they seem good at that...


A proxy gateway has the distinct advantage of being a connection endpoint.
In the terminology I've been using lately, I'd say that a proxy-sniffer is
an ACTIVE (not passive) monitor. Say we have hosts A (the attacker), B
(the proxy monitor), and C (the target). When A sends a packet to C, in a
proxy configuration, it actually winds up sending the packet to B. B does
NOT simply forward the packet to C; rather, it interprets the packet,
figures out what it thought host A meant by the packet, and then sends
host C a NEW packet REPRESENTING WHAT IT THOUGHT HOST A MEANT.


forgive me if I've read this wrong - but this sounds like a app proxy
firewall does it not?

OK its a firewall with much better alarming and logging. But in normal
security (I mean physical) an IDS is a detection system - it does not
provide a major response, though it may assist in the apprehension phase.

What I can see here is a transparent proxy IDS sitting on the wire proxying
all the packets, but not attempting to fit them against rules, just passing
them through the proxy layers Think of a App Proxy firewall with ANY to ANY
rule set to allow.

This would permit normal traffic, and allow faster throughput. As a proxy
it could alarm when suspicious packets arrive (like badly created ICMP
packets or cronicly overlapped packets). BUT it would not try and fix the
packets - if anything this is the firewall's job, otherwise it would be
easy to do DOS by sending bad packets down the stream - the IDS would spend
al its time trying to fix them....

This will cut down the attacks via TCP stacks, but still not handle the
problem of 'conventional' attacks - via buffer overflow etc. It seems we
are still stuck with the pattern matching method - one that will always be
one step behind. Look at the virus detection industry - we still don't have
automatic recognition and removal there <insert conspiracy theories here>.

Cheers,

Bret

Technical Incursion Countermeasures 
consulting () bwa net                      http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security
http://www.ticm.com/about/insider.html
Previous By Date Next
Previous By Thread Next

Current thread: