Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Paul D. Robertson" <proberts () clark net>
Date: Sun, 15 Feb 1998 09:50:29 -0500 (EST)
On Sun, 15 Feb 1998, Darren Reed wrote:
IP packets can be rebuilt at firewalls, doing packet filtering, but it can be construed to be a `bad thing' on the principle that gateways (or routers) don't reassemble fragments and just pass packets on.
I'm curious as to why this is a "bad thing"? Reassembly prior to passing to the packet filtering layer gets rid of a whole class of attack. Most of the time these days fragments all travel the same path relatively quickly, and the only major disadvantage I can see is that the gateway's stack buffering needs to be large, and hopefully indexed rather than linearly addressed for large sites, but that's more of an implementation issue.
I wonder how FW-1 would stack up to the sort of tests that SNI put the various IDS systems through.
I suppose I wasn't the first to wonder this. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)