Re: Proxy 2.0 secure? (IDS)

[Kjell Wooding <kwooding () codetalker com>]

[I think I'll butt into the middle of this, albeit on a bit of a sidebar]

> > This attack was a recent discovery, and I have
> > seen no literature (our IDS paper excluded) that explored the
> > ramifications of this type of attack.
>
> I imagine the IDS vendors will have to start assembling fragments,
> and checking for valid frag pointers.  Are you implying that they
> can't, won't, or it's too hard?

As pointed out in the IDS paper, this would require the IDS to reassemble the
*same* fragment stream in many different ways to simulate the behaviors of
the various TCP/IP stacks out there.  This is extremely time consuming (in
a real-time monitoring scenario) and requires intimate knowledge of all the
Stack flavors protected by the firewall.

Seems to me you could greatly reduce the impact of this sort of attack by
combining packet
reassembly capability into your IDS, and making it an active choke between
the outside
world and the firewall. This would provide a clean packet stream (free of
fragments) that have been reassembled in a consistent manner, making life
easier for both the firewall (especially an SPF) and your IDS (which only
has to reassemble the fragments in one way). 

Incidently, changing the role of the IDS from a passive monitor to an
active choke also
addresses the "fail open" behavior of traditional IDS's

-kj

 
--
Kjell Wooding <kwooding () codetalker com>
Codetalker Communications, Inc.

For the latest Infosec News, see http://www.codetalker.com/