Re: Proxy 2.0 secure? (IDS)

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----

make your firewall do the packet reassembly, leave your IDS in passive
monitoring so that it does not become the object of an attack.

David Lang


On Wed, 1 Jul 1998, Kjell Wooding wrote:

> Date: Wed, 01 Jul 1998 12:28:00 -0600
> From: Kjell Wooding <kwooding () codetalker com>
> To: Ryan Russell <ryanr () sybase com>, tqbf () pobox com
> Cc: firewall-wizards () nfr net
> Subject: Re: Proxy 2.0 secure? (IDS)
>
> [I think I'll butt into the middle of this, albeit on a bit of a sidebar]
>
> > > This attack was a recent discovery, and I have
> > > seen no literature (our IDS paper excluded) that explored the
> > > ramifications of this type of attack.
> >
> > I imagine the IDS vendors will have to start assembling fragments,
> > and checking for valid frag pointers.  Are you implying that they
> > can't, won't, or it's too hard?
>
> As pointed out in the IDS paper, this would require the IDS to reassemble the
> *same* fragment stream in many different ways to simulate the behaviors of
> the various TCP/IP stacks out there.  This is extremely time consuming (in
> a real-time monitoring scenario) and requires intimate knowledge of all the
> Stack flavors protected by the firewall.
>
> Seems to me you could greatly reduce the impact of this sort of attack by
> combining packet
> reassembly capability into your IDS, and making it an active choke between
> the outside
> world and the firewall. This would provide a clean packet stream (free of
> fragments) that have been reassembled in a consistent manner, making life
> easier for both the firewall (especially an SPF) and your IDS (which only
> has to reassemble the fragments in one way). 
>
> Incidently, changing the role of the IDS from a passive monitor to an
> active choke also
> addresses the "fail open" behavior of traditional IDS's
>
> -kj
>
>  
> --
> Kjell Wooding <kwooding () codetalker com>
> Codetalker Communications, Inc.
>
> For the latest Infosec News, see http://www.codetalker.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNZ6hbT7msCGEppcbAQFnKgf/R1lz7pAURDT0H3EWcy76fZnVQ+dL3sdj
Lei5MCIV164jZXG2EPTDcB2BP5IzLjhdt9md1joPPOoSfzrh7djVcLpIUM8nEkPI
BV7x0hyMQ1i5HVbOK1AFeBHVtwt7RRxnl7RU5fGKOKmK27Iw8RRi+16Fry6y3lIW
EcSbrddfgyWJxmVRTqTPBqpDOQR4ALIPt0MZxZ6pz0cBjp0zoiVYcl3zZtQWkElQ
tEM5VYZ1oT4QoqC/BJ15qmpb36YrYhaLT7OCiCKM2mruCH5ERBakohpALRAddqjM
IPn0wvaApf4YOWjgM7pYbRqDeCDs/TJDJAIcQ5fhrMeDr889jAbhFw==
=UNDX
-----END PGP SIGNATURE-----