Snort mailing list archives
Re: fragroute vs. snort: the tempest in a teacup
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Sat, 20 Apr 2002 00:08:39 -0700
On Fri, Apr 19, 2002 at 08:10:54AM +1000, Darren Reed wrote:
In some mail from Dug Song, sie said:Most firewalls these days (especially Linux and OpenBSD ones) actually do reassembly inbound.this isn't quite true. most stateful inspection firewalls do "virtual reassembly" for IP fragments, and a few do basic window tracking for TCP connections, but will still allow most fragroute-style attacks through (e.g. duplicate overwriting TCP segments with older TCP timestamp options for PAWS elimination, short TTLs, etc.).Well then IDS software needs to be smarter. IMHO it makes little sense for an IDS to be *behind* a firewall as it's going to miss out on lots of useful data points.
Oy, here we go... Many, many people will argue that putting the NIDS on the inside is the right place. Unless you are doing research, who cares about all of the crap the skr1Pt k1ddiez fire at your network that bounces off of the firewall? It's not a real threat to you. If you're just concerned about protecting machines, you just want to know about the stuff that actually gets too them. To extend a lame physical security analogy, you don't put motion detectors wired to alarms outside of your door facing a busy sidewalk. You put the motion detectors _inside_ in case anyone gets in.[0] IMHO, there is no "right" answer. Whether you put it on the inside or outside is entirely dependent on an individual site's security policy and IS security resources. [snip]
There are good reasons NOT to do reassembly and I imagine those that do not do so because they understand this better than the desire to simply add yet another feature which some consider "cool".
Reassembling datagrams violates the router RFC requirements. (OTOH, the just about any firewalling concept breaks rules.) [0] Of course, there is the argument that you may want to put security cameras both inside and outside. However, you don't put alarms on the external cameras. You use the external cameras as a forensic tool after the fact. It's great to have both. However, we all have limited resources. If you can only afford motion detectors on the inside, or (exclusive-or) a security camera on the outside, you probably want to opt for the motion detector. But again, YMMV depending on your own site's requirements. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
- Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
- RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)