Vulnerability Development mailing list archives
RE: Firewall and IDS, (the second way).
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Wed, 20 Mar 2002 14:35:57 +0100
We probably mis-understood each other :) NIDS just sniffs on some network place. If you happen to flood some other host, and NIDS can see that flood it can dynamically reconfigure router to change it's ACLs and to cut you off. If everything is on the other side of the network, meaning that you are somewhere in the Internet there is no way that you'll see any packet that came from NIDS as it only: 1) sniffs the network 2) sends command to it's router Just my 2 cents ... Best regards, Bojan Zdrnja
-----Original Message----- From: Pedro Quintanilha [mailto:PQuintanilha () abril com br] Sent: 20. ozujak 2002 13:06 To: Bojan.Zdrnja () FER hr; vuln-dev () securityfocus com Subject: RE: Firewall and IDS, (the second way). Yeap. But if the Firewall (or another block device) was dinamically configured to block your packets, then it´s so possible that you touch a nIDS and it causes the reconfiguration. Pedro Quintanilha Segurança da Informação Editora Abril s/a pquintanilha () abril com br +55-11-3037-4297 -----Original Message----- From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr] Sent: Wednesday, March 20, 2002 8:32 AM To: Pedro Quintanilha; vuln-dev () securityfocus com Subject: RE: Firewall and IDS, (the second way).-----Original Message----- From: Pedro Quintanilha [mailto:PQuintanilha () abril com br] Sent: 18. ozujak 2002 21:41 To: vuln-dev () securityfocus com Subject: RE: Firewall and IDS, (the second way).- IP Ban (drops, ICMP unreachables) Another good method to detect the presence of a nIDS. Some administrators configure nIDSs to act on Firewalls (f.e. OPSEC) to block any traffic from a IP that is source of a flood of many kinds of packets, like ICMP flood, port-scans, etc. So, if you want to detect it, you just need to generate a flood, and capture the return packets. If you suddenly start to receive ICMP port/host/net unreachabes, or stop to receive target host´s responses (ACKs, ICMP Echo-Replies, etc), then you probably hit a nIDS.Correct me if I'm wrong, but IDS will act upon firewall which will at the end change it's ACL. So it's firewall who will cut your ability to connect to other host and I don't think you are able to receive any packet from NIDS - only one who should receive something is firewall.
<<attachment: winmail.dat>>
Current thread:
- RE: Firewall and IDS, (the second way)., (continued)
- RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
- Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
- Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
- RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 20)
- RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)