Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: tqbf () secnet com
Date: Sun, 15 Feb 1998 01:15:04 -0600 (CST)
...and how is that secondary source there when it is just a passive
listener and not there when it is a proxy ?  I think I'm missing something
you're implying.  As per a proxy firewall, you have hosts on "each side".


If you know the number of hops to every destination on the network, the
MTU of each of those hops, the OS running on each of the machines on your
network, and the exact network configuration of each, AND if you can
reliably see every packet on the wire, you can (I currently believe)
accurately reconstruct network traffic and detect intrusions in it.

You do not need to be a proxy to have this information. Being a proxy
allows you to do network intrusion detection WITHOUT this information. The
problem you need to solve at this point is "how the hell do we get this
kind of information to the IDS in real time, in order to make my non-proxy
sniffer IDS work."

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"
Previous By Date Next
Previous By Thread Next

Current thread: