Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: marc () sniff ct-net de
Date: Sun, 15 Feb 1998 10:27:57 +0000 (GMT)
Darren Reed <darrenr () cyber com au> wrote:
And why is that ? They damn well should be (or at least attempting to ensure that only the right information gets through). It's
I am sure, some _will_ do so. But not as sure as I am with an application proxy. There is the possibility that a packet filter or a stateful-whatever is quite similar to an IDS. "Similar" in the sense that the stateful machine is just hooked up on the wire looking closely on what is being forwarded by itself or the OS of the firewall. You can't play evasion tricks by overloading the packet filter because you have to go through the filter - that's fine - but with this scenario you are open to fragmentation attacks like teardrop2 etc. . The bottom line: because you cannot look into the black box (thank's to TIS producing a "crystal black box"), you have to draw your conclusions from "stateful/packet" vs. "proxy". And it is a weak conclusion because all this speedy "kernel-cut-through" tricks instead of plain-old-application-proxy mean you even don't know what's going on within some proxy firewalls. :-( So for me it's interesting to look on IDS technology and learn something about firewalls. Impressed by all the features some firewall vendors offer I sometimes went into an "everything goes" mood (or mode? ;-) . All the salesmen sounding very tough when talking about "deny what isn't explicitly allowed" ... but now I have to learn that their products may not be able to detect a malicious access and allow it. It's the same problem as described in the report of Ptacek and Newsham: the firewall has to interpret what will happen inside the destination system. An application proxy helps you because the data is "normalized" on OSI layer 1-4. At layer 5 and above you are alone in the cold. Some proxies are looking for buffer overflow attacks or data outside the acceptable character set and provide this way some "normalization". The rest is a "quick fix" like looking for "phf" in HTTP or "|/bin/sh" in SMTP data streams. We all know this and we know it's a marketing hype to fix all and everyting with a firewall instead of fixing the bad applications. But I thought about firewalls as the right tool to protect on the network layer (and still do so). I spent much time to learn how the attacks work but I didn't think about the _detection_. Thanks to Ptacek/Newsham to point out this. So for me this is the positiv side effect of what I think is a wrong move of IDS vendors, trying to sell "annother firewall" introducing active reaktions like rewriting router access lists etc. . Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc () sniff ct-net de Powered by FreeBSD ;-)
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)