Re: Important Comments re: INtrusion Detection

[tqbf () secnet com]

> You're right about firewalls, but possibly wrong about non-proxy IDS's.
> A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't
> be vulnerable to bugs in one.  Suppose, for example, that a TCP segment

I see where you're coming from but do not agree. In order for a passive
network IDS to actually work, it needs to do some level of protocol
analysis over captured packets. The packets it captures are in part
controlled by the attacker, and the attacker can modulate the contents of
those packets in order to excercize bugs in the protocol analysis code.

I'm following you here...

> Clearly, the more closely
> an IDS mimics the behavior of an end system, the more vulnerable it is.

... but also adding that most "non-proxy" ID systems "mimic" the
end-systems they watch closely enough to have software complex enough to
contain bugs (but not close enough to accurately reconstruct sessions ---
what a situation!). 

I guess I'd just like to be careful about saying that passive ID systems
are resistant to attack; our paper didn't go into the "bugs" we found in
the systems we tested (not within the scope of the paper and didn't have
lasting importance); the ones we found just crashed the system, but
that doesn't mean there aren't more serious problems.

Of course, one solution here is to cut the transmit leads; that poses some
manageability problems though. =)

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"