Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (IDS)
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 1 Jul 1998 12:30:22 -0700
I think Thomas' point is that there is no way to identify even well known attacks if they've been fragmented in funny was for different OSes. I'd have to agree with that. No IDS will catch 100% of the attacks, and not even 100% of known attacks if they are presented in different packet-breaking styles. My question towards that end is: Isn't there some common thing to look for with these funny streams that will identfiy it as a problem, if not that it's a /cgi-bin/phf attack? For your question... if it's done on the firewall machine, i'd assume the firewall would reassemble it one particular way, which would prevent the attack from working, but might not allow the IDS to identify it as an attempt. I guess that would be more for layer 3 DoS-type attacks than app-type attacks. Ryan --------------------------------------------------------------------------- ----
I imagine the IDS vendors will have to start assembling fragments, and checking for valid frag pointers. Are you implying that they can't, won't, or it's too hard?
As pointed out in the IDS paper, this would require the IDS to reassemble the *same* fragment stream in many different ways to simulate the behaviors of the various TCP/IP stacks out there. This is extremely time consuming (in a real-time monitoring scenario) and requires intimate knowledge of all the Stack flavors protected by the firewall. Seems to me you could greatly reduce the impact of this sort of attack by combining packet reassembly capability into your IDS, and making it an active choke between the outside world and the firewall. This would provide a clean packet stream (free of fragments) that have been reassembled in a consistent manner, making life easier for both the firewall (especially an SPF) and your IDS (which only has to reassemble the fragments in one way). Incidently, changing the role of the IDS from a passive monitor to an active choke also addresses the "fail open" behavior of traditional IDS's
Current thread:
- Re: Proxy 2.0 secure? (IDS) Kjell Wooding (Jul 02)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (IDS) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- RE: Proxy 2.0 secure? (IDS) ICMan (Jul 03)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)