Vulnerability Development mailing list archives

RE: Firewall and IDS, (the second way).

From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Wed, 20 Mar 2002 14:35:57 +0100

We probably mis-understood each other :)

NIDS just sniffs on some network place. If you happen to flood some other
host, and NIDS can see that flood it can dynamically reconfigure router to
change it's ACLs and to cut you off. If everything is on the other side of
the network, meaning that you are somewhere in the Internet there is no way
that you'll see any packet that came from NIDS as it only:

1) sniffs the network
2) sends command to it's router

Just my 2 cents ...

Best regards,

Bojan Zdrnja

-----Original Message-----
From: Pedro Quintanilha [mailto:PQuintanilha () abril com br]
Sent: 20. ozujak 2002 13:06
To: Bojan.Zdrnja () FER hr; vuln-dev () securityfocus com
Subject: RE: Firewall and IDS, (the second way).



Yeap. But if the Firewall (or another block device) was 
dinamically configured to block your packets, then it´s so 
possible that you touch a nIDS and it causes the reconfiguration.


Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
pquintanilha () abril com br
+55-11-3037-4297



-----Original Message-----
From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr]
Sent: Wednesday, March 20, 2002 8:32 AM
To: Pedro Quintanilha; vuln-dev () securityfocus com
Subject: RE: Firewall and IDS, (the second way).

-----Original Message-----
From: Pedro Quintanilha [mailto:PQuintanilha () abril com br]
Sent: 18. ozujak 2002 21:41
To: vuln-dev () securityfocus com
Subject: RE: Firewall and IDS, (the second way).


- IP Ban (drops, ICMP unreachables)

    Another good method to detect the presence of a nIDS. 
Some administrators configure nIDSs to act on Firewalls (f.e. 
OPSEC) to block any traffic from a IP that is source of a 
flood of many kinds of packets, like ICMP flood, port-scans, 
etc. So, if you want to detect it, you just need to generate 
a flood, and capture the return packets. If you suddenly 
start to receive ICMP port/host/net unreachabes, or stop to 
receive target host´s responses (ACKs, ICMP Echo-Replies, 
etc), then you probably hit a nIDS.


Correct me if I'm wrong, but IDS will act upon firewall which 
will at the end change it's ACL. So it's firewall who will 
cut your ability to connect to other host and I don't think 
you are able to receive any packet from NIDS - only one who 
should receive something is firewall.

<<attachment: winmail.dat>>

Current thread:

RE: Firewall and IDS, (the second way)., (continued)
- - RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
  - Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
  - Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 20)
  - RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)