Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (IDS)
From: Kjell Wooding <kwooding () codetalker com>
Date: Wed, 01 Jul 1998 12:28:00 -0600
[I think I'll butt into the middle of this, albeit on a bit of a sidebar]
This attack was a recent discovery, and I have seen no literature (our IDS paper excluded) that explored the ramifications of this type of attack.I imagine the IDS vendors will have to start assembling fragments, and checking for valid frag pointers. Are you implying that they can't, won't, or it's too hard?
As pointed out in the IDS paper, this would require the IDS to reassemble the *same* fragment stream in many different ways to simulate the behaviors of the various TCP/IP stacks out there. This is extremely time consuming (in a real-time monitoring scenario) and requires intimate knowledge of all the Stack flavors protected by the firewall. Seems to me you could greatly reduce the impact of this sort of attack by combining packet reassembly capability into your IDS, and making it an active choke between the outside world and the firewall. This would provide a clean packet stream (free of fragments) that have been reassembled in a consistent manner, making life easier for both the firewall (especially an SPF) and your IDS (which only has to reassemble the fragments in one way). Incidently, changing the role of the IDS from a passive monitor to an active choke also addresses the "fail open" behavior of traditional IDS's -kj -- Kjell Wooding <kwooding () codetalker com> Codetalker Communications, Inc. For the latest Infosec News, see http://www.codetalker.com/
Current thread:
- Re: Proxy 2.0 secure? (IDS) Kjell Wooding (Jul 02)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (IDS) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- RE: Proxy 2.0 secure? (IDS) ICMan (Jul 03)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)