Firewall Wizards mailing list archives
RE: Proxy 2.0 secure? (IDS)
From: ICMan <shane () tor securecomputing com>
Date: Fri, 3 Jul 1998 10:34:56 -0400
Would not an application layer gateway type of firewall alleviate any stack/protocol problems? An ALG, by definition, disassembles packets on one side of the firewall, and recreates them on the other side from scratch. Thus if the ALG firewall is not affected by strange packet munging, then nothing will happen. The flaw is not propogated past the firewall, and thus cannot attack a flawed stack on the other side of the firewall. This would be true in both directions, which also stops your internal users from launching such an attack out through the firewall. This is not a feature of a Stateful Multi-Layer Inspection (SMLI) engine. The SMLI engine has to be built to understand all protocol attacks for all stacks so it can filter them out. This is one of the primary reasons that, from a security perspective, ALG is considered a superior firewall architecture to SMLI, though SMLI has better throughput. (at least, it has better throughput until you add all the checking for protocol flaws. Then I would imagine that the SMLI firewall's CPU will overheat, explode, kill half of your IT staff. ;-) Can you tell which camp I belong to?) ICMan -----Original Message----- From: Kjell Wooding [SMTP:kwooding () codetalker com] Sent: Wednesday, 01 July, 1998 2:28 PM To: Ryan Russell; tqbf () pobox com Cc: firewall-wizards () nfr net Subject: Re: Proxy 2.0 secure? (IDS) [I think I'll butt into the middle of this, albeit on a bit of a sidebar]
This attack was a recent discovery, and I have seen no literature (our IDS paper excluded) that explored the ramifications of this type of attack.I imagine the IDS vendors will have to start assembling fragments, and checking for valid frag pointers. Are you implying that they can't, won't, or it's too hard?
As pointed out in the IDS paper, this would require the IDS to reassemble the *same* fragment stream in many different ways to simulate the behaviors of the various TCP/IP stacks out there. This is extremely time consuming (in a real-time monitoring scenario) and requires intimate knowledge of all the Stack flavors protected by the firewall. Seems to me you could greatly reduce the impact of this sort of attack by combining packet reassembly capability into your IDS, and making it an active choke between the outside world and the firewall. This would provide a clean packet stream (free of fragments) that have been reassembled in a consistent manner, making life easier for both the firewall (especially an SPF) and your IDS (which only has to reassemble the fragments in one way). Incidently, changing the role of the IDS from a passive monitor to an active choke also addresses the "fail open" behavior of traditional IDS's -kj -- Kjell Wooding <kwooding () codetalker com> Codetalker Communications, Inc. For the latest Infosec News, see http://www.codetalker.com/
Current thread:
- Re: Proxy 2.0 secure? (IDS) Kjell Wooding (Jul 02)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (IDS) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- RE: Proxy 2.0 secure? (IDS) ICMan (Jul 03)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)