Re: flow_depth and WMF exploit

[Frank Knobbe <frank () knobbe us>]

On Thu, 2006-01-05 at 12:11 -0500, Jason wrote:
> At no point in time was an IDS/IPS _designed_ to handle client side
> attacks or the myriad of options for encodings, file formats,
> compression, embedding... that exist on the client side. This function
> has and will remain a responsibility of software on the host.
> Traditionally this has been AV and unfortunately they have been failing
> to respond effectively.

Please don't put words into my mouth. I didn't say this at all. Matter
the fact, I said the same thing you said in a different email.

> The assertion that IPS is less capable of performing the task it is
> designed for is fallacious and only highlights the complete lack of
> understanding in the market of the technology.

Not quite. IPSes that claim to inspect traffic at wire speed (that
includes server responses), are less capable of performing the
inspection tasks at higher speeds when the workload is increased by also
having to decode the data first from various encoding formats. (Proxies
are better suited for that since they were designed from day one as a
accept-and-forward type device.)

I'm not talking about your rate-limiters and profile based IPSes.
Actually, we didn't even venture into the I_P_S arena at all, and
purposefully so. Please don't lead us there, especially not with
dismissing comments like above.


-Frank


--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part