Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: Aleph One <aleph1 () dfw dfw net>
Date: Sun, 15 Feb 1998 15:27:17 -0600 (CST)
On Sun, 15 Feb 1998, Steven M. Bellovin wrote:


You're right about firewalls, but possibly wrong about non-proxy IDS's.
A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't
be vulnerable to bugs in one.  Suppose, for example, that a TCP segment
with all flag bits on would make a given TCP fall over.  An IDS might
or might not realize that such a packet was malicious.  But if it didn't
use TCP to process it, it wouldn't be harmed.  Clearly, the more closely
an IDS mimics the behavior of an end system, the more vulnerable it is.
I made this point about firewalls with lots of proxies a few days ago --
the more functionality you have, the more vulnerable you are.


I see what you mean. I guess my point was the any network program that
accepts input from a possibly aggressive source may contains vulnerabilities
in the code that processes such input. You are correct in that the
obviously complex task of implementing a TCP/IP stacks is one such process
with a greater chance of demonstrating such vulnerabilities but inasmuch
that a network intrusion detection system processes this type of input
they are at risk too.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous By Date Next
Previous By Thread Next

Current thread: