RE: Proxy 2.0 secure? (IDS)

[ICMan <shane () tor securecomputing com>]

Would not an application layer gateway type of firewall alleviate any 
stack/protocol problems?  An ALG, by definition, disassembles packets on 
one side of the firewall, and recreates them on the other side from 
scratch.  Thus if the ALG firewall is not affected by strange packet 
munging, then nothing will happen.  The flaw is not propogated past the 
firewall, and thus cannot attack a flawed stack on the other side of the 
firewall.  This would be true in both directions, which also stops your 
internal users from launching such an attack out through the firewall.

This is not a feature of a Stateful Multi-Layer Inspection (SMLI) engine. 
 The SMLI engine has to be built to understand all protocol attacks for all 
stacks so it can filter them out.

This is one of the primary reasons that, from a security perspective, ALG 
is considered a superior firewall architecture to SMLI, though SMLI has 
better throughput.  (at least, it has better throughput until you add all 
the checking for protocol flaws.  Then I would imagine that the SMLI 
firewall's CPU will overheat, explode, kill half of your IT staff. ;-)  Can 
you tell which camp I belong to?)

ICMan

-----Original Message-----
From:   Kjell Wooding [SMTP:kwooding () codetalker com]
Sent:   Wednesday, 01 July, 1998 2:28 PM
To:     Ryan Russell; tqbf () pobox com
Cc:     firewall-wizards () nfr net
Subject:        Re: Proxy 2.0 secure? (IDS)

[I think I'll butt into the middle of this, albeit on a bit of a sidebar]

> > This attack was a recent discovery, and I have
> > seen no literature (our IDS paper excluded) that explored the
> > ramifications of this type of attack.
>
> I imagine the IDS vendors will have to start assembling fragments,
> and checking for valid frag pointers.  Are you implying that they
> can't, won't, or it's too hard?

As pointed out in the IDS paper, this would require the IDS to reassemble 
the
*same* fragment stream in many different ways to simulate the behaviors of
the various TCP/IP stacks out there.  This is extremely time consuming (in
a real-time monitoring scenario) and requires intimate knowledge of all the
Stack flavors protected by the firewall.

Seems to me you could greatly reduce the impact of this sort of attack by
combining packet
reassembly capability into your IDS, and making it an active choke between
the outside
world and the firewall. This would provide a clean packet stream (free of
fragments) that have been reassembled in a consistent manner, making life
easier for both the firewall (especially an SPF) and your IDS (which only
has to reassemble the fragments in one way).

Incidently, changing the role of the IDS from a passive monitor to an
active choke also
addresses the "fail open" behavior of traditional IDS's

-kj


--
Kjell Wooding <kwooding () codetalker com>
Codetalker Communications, Inc.

For the latest Infosec News, see http://www.codetalker.com/