Snort mailing list archives

Re: fragroute vs. snort: the tempest in a teacup

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Sat, 20 Apr 2002 00:08:39 -0700

On Fri, Apr 19, 2002 at 08:10:54AM +1000, Darren Reed wrote:

In some mail from Dug Song, sie said:

Most firewalls these days (especially Linux and OpenBSD ones)
actually do reassembly inbound.


this isn't quite true. most stateful inspection firewalls do "virtual
reassembly" for IP fragments, and a few do basic window tracking for
TCP connections, but will still allow most fragroute-style attacks
through (e.g. duplicate overwriting TCP segments with older TCP
timestamp options for PAWS elimination, short TTLs, etc.).


Well then IDS software needs to be smarter.  IMHO it makes little sense
for an IDS to be *behind* a firewall as it's going to miss out on lots
of useful data points.


Oy, here we go...

Many, many people will argue that putting the NIDS on the inside is the
right place. Unless you are doing research, who cares about all of the
crap the skr1Pt k1ddiez fire at your network that bounces off of the
firewall? It's not a real threat to you. If you're just concerned
about protecting machines, you just want to know about the stuff that
actually gets too them. To extend a lame physical security analogy,
you don't put motion detectors wired to alarms outside of your door
facing a busy sidewalk. You put the motion detectors _inside_ in case
anyone gets in.[0]

IMHO, there is no "right" answer.  Whether you put it on the inside or
outside is entirely dependent on an individual site's security policy
and IS security resources.

[snip]

There are good reasons NOT to do reassembly and I imagine those that do
not do so because they understand this better than the desire to simply
add yet another feature which some consider "cool".


Reassembling datagrams violates the router RFC requirements. (OTOH,
the just about any firewalling concept breaks rules.)

[0] Of course, there is the argument that you may want to put security
cameras both inside and outside. However, you don't put alarms on the
external cameras. You use the external cameras as a forensic tool
after the fact. It's great to have both. However, we all have limited
resources. If you can only afford motion detectors on the inside, or
(exclusive-or) a security camera on the outside, you probably want to
opt for the motion detector. But again, YMMV depending on your own
site's requirements.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
  - Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
    - Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
    - RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
  - Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
    - Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
  - RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)