Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: "Steven M. Bellovin" <smb () research att com>
Date: Sun, 15 Feb 1998 19:40:21 +0000
At 02:06 AM 2/15/98 -0600, Aleph One wrote:

On Sat, 14 Feb 1998, Steve Bellovin wrote:


The most serious problem, of course, is that there is no a priori reason
to think that the IDS's stack is bug-free.  And if you penetrate it, you've
acquired control of a machine that is by definition a perfect sniffer --
for the dark side...


But this is the case of non-proxy IDS's (or any other network program
[e.g. firewalls]) right now as well. The new architecture does not change
this.


You're right about firewalls, but possibly wrong about non-proxy IDS's.
A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't
be vulnerable to bugs in one.  Suppose, for example, that a TCP segment
with all flag bits on would make a given TCP fall over.  An IDS might
or might not realize that such a packet was malicious.  But if it didn't
use TCP to process it, it wouldn't be harmed.  Clearly, the more closely
an IDS mimics the behavior of an end system, the more vulnerable it is.
I made this point about firewalls with lots of proxies a few days ago --
the more functionality you have, the more vulnerable you are.
Previous By Date Next
Previous By Thread Next

Current thread: