Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Aleph One <aleph1 () dfw dfw net>
Date: Sun, 15 Feb 1998 15:27:17 -0600 (CST)
On Sun, 15 Feb 1998, Steven M. Bellovin wrote:
You're right about firewalls, but possibly wrong about non-proxy IDS's. A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't be vulnerable to bugs in one. Suppose, for example, that a TCP segment with all flag bits on would make a given TCP fall over. An IDS might or might not realize that such a packet was malicious. But if it didn't use TCP to process it, it wouldn't be harmed. Clearly, the more closely an IDS mimics the behavior of an end system, the more vulnerable it is. I made this point about firewalls with lots of proxies a few days ago -- the more functionality you have, the more vulnerable you are.
I see what you mean. I guess my point was the any network program that accepts input from a possibly aggressive source may contains vulnerabilities in the code that processes such input. You are correct in that the obviously complex task of implementing a TCP/IP stacks is one such process with a greater chance of demonstrating such vulnerabilities but inasmuch that a network intrusion detection system processes this type of input they are at risk too. Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection marc (Feb 14)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 14)
- Re: Important Comments re: INtrusion Detection Steve Bellovin (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 15)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 15)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)