RE: Firewall and IDS, (the second way).

["Pedro Quintanilha" <PQuintanilha () abril com br>]

Yeap. But if the Firewall (or another block device) was dinamically configured to block your packets, then it´s so 
possible that you touch a nIDS and it causes the reconfiguration.


Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
pquintanilha () abril com br
+55-11-3037-4297



-----Original Message-----
From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr]
Sent: Wednesday, March 20, 2002 8:32 AM
To: Pedro Quintanilha; vuln-dev () securityfocus com
Subject: RE: Firewall and IDS, (the second way).




> -----Original Message-----
> From: Pedro Quintanilha [mailto:PQuintanilha () abril com br]
> Sent: 18. ozujak 2002 21:41
> To: vuln-dev () securityfocus com
> Subject: RE: Firewall and IDS, (the second way).

> - IP Ban (drops, ICMP unreachables)
>
>       Another good method to detect the presence of a nIDS. 
> Some administrators configure nIDSs to act on Firewalls (f.e. 
> OPSEC) to block any traffic from a IP that is source of a 
> flood of many kinds of packets, like ICMP flood, port-scans, 
> etc. So, if you want to detect it, you just need to generate 
> a flood, and capture the return packets. If you suddenly 
> start to receive ICMP port/host/net unreachabes, or stop to 
> receive target host´s responses (ACKs, ICMP Echo-Replies, 
> etc), then you probably hit a nIDS.

Correct me if I'm wrong, but IDS will act upon firewall which will at the end change it's ACL. So it's firewall who 
will cut your ability to connect to other host and I don't think you are able to receive any packet from NIDS - only 
one who should receive something is firewall.