Re: Important Comments re: INtrusion Detection

[marc () sniff ct-net de]

Darren Reed <darrenr () cyber com au> wrote:

> And why is that ?  They damn well should be (or at least attempting
> to ensure that only the right information gets through).  It's

I am sure, some _will_ do so. But not as sure as I am with an
application proxy. There is the possibility that a packet filter
or a stateful-whatever is quite similar to an IDS. "Similar" in the
sense that the stateful machine is just hooked up on the wire looking
closely on what is being forwarded by itself or the OS of the
firewall. You can't play evasion tricks by overloading the packet
filter because you have to go through the filter - that's fine - but
with this scenario you are open to fragmentation attacks like
teardrop2 etc. .
The bottom line: because you cannot look into the black box
(thank's to TIS producing a "crystal black box"), you have to draw
your conclusions from "stateful/packet" vs. "proxy". And it is a weak
conclusion because all this speedy "kernel-cut-through" tricks instead
of plain-old-application-proxy mean you even don't know what's going
on within some proxy firewalls. :-(

So for me it's interesting to look on IDS technology and learn
something about firewalls. Impressed by all the features some
firewall vendors offer I sometimes went into an "everything goes"
mood (or mode? ;-) . All the salesmen sounding very tough when 
talking about "deny what isn't explicitly allowed" ... but now
I have to learn that their products may not be able to detect
a malicious access and allow it.
It's the same problem as described in the report of Ptacek and
Newsham: the firewall has to interpret what will happen inside the
destination system. An application proxy helps you because the data
is "normalized" on OSI layer 1-4.
At layer 5 and above you are alone in the cold. Some proxies are
looking for buffer overflow attacks or data outside the acceptable
character set and provide this way some "normalization". The rest
is a "quick fix" like looking for "phf" in HTTP or "|/bin/sh" in
SMTP data streams.
We all know this and we know it's a marketing hype to fix all and
everyting with a firewall instead of fixing the bad applications.
But I thought about firewalls as the right tool to protect on the
network layer (and still do so). I spent much time to learn how
the attacks work but I didn't think about the _detection_. Thanks
to Ptacek/Newsham to point out this.

So for me this is the positiv side effect of what I think is a wrong
move of IDS vendors, trying to sell "annother firewall" introducing
active reaktions like rewriting router access lists etc. .


Regards, Marc
-- 
Marc Binderberger                                 97076 Wuerzburg, Germany
marc () sniff ct-net de                              Powered by FreeBSD ;-)