Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Steven M. Bellovin" <smb () research att com>
Date: Sun, 15 Feb 1998 19:40:21 +0000
At 02:06 AM 2/15/98 -0600, Aleph One wrote:
On Sat, 14 Feb 1998, Steve Bellovin wrote:The most serious problem, of course, is that there is no a priori reason to think that the IDS's stack is bug-free. And if you penetrate it, you've acquired control of a machine that is by definition a perfect sniffer -- for the dark side...But this is the case of non-proxy IDS's (or any other network program [e.g. firewalls]) right now as well. The new architecture does not change this.
You're right about firewalls, but possibly wrong about non-proxy IDS's. A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't be vulnerable to bugs in one. Suppose, for example, that a TCP segment with all flag bits on would make a given TCP fall over. An IDS might or might not realize that such a packet was malicious. But if it didn't use TCP to process it, it wouldn't be harmed. Clearly, the more closely an IDS mimics the behavior of an end system, the more vulnerable it is. I made this point about firewalls with lots of proxies a few days ago -- the more functionality you have, the more vulnerable you are.
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection marc (Feb 14)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection Steve Bellovin (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)