Firewall Wizards mailing list archives
Re: Relevance of IDS Results to Stateful FWs
From: tqbf () secnet com
Date: Mon, 16 Feb 1998 19:47:44 -0600 (CST)
marc () snitf ct-net de Sun Feb 15 98
I am sure, some _will_ do so. But not as sure as I am with an application proxy. There is the possibility that a packet filter or a stateful-whatever is quite similar to an IDS. "Similar" in the
...
firewall. You can't play evasion tricks by overloading the packet filter because you have to go through the filter - that's fine - but with this scenario you are open to fragmentation attacks like
...
So for me it's interesting to look on IDS technology and learn something about firewalls. Impressed by all the features some firewall vendors offer I sometimes went into an "everything goes"
Yeah, it's very interesting (to me) to think about the ramifications of our work against other security technologies. I had hoped not to find myself speaking up about this until my research work was done, but it seems that the conclusion of "hey, stateful packet filters seem very similar to a passive IDS embedded into a router" is going to be reached independantly of me. Oh well. Someone thank me and Tim if you come up with something good before we do. Anyways, that aside: there's a perspective (it's not necessarily valid) that sees stateful filtering as a speed hack over transparant application gateway firewalls. It would seem to me that anything that did enough mucking about with the protocols in the traffic to be effectively an end-system WOULD be a proxy; if you're not a proxy, you're something less than one, i.e. you're basing security conclusions off of something other than information obtained from (what we're considering) active analysis. Who knows. Maybe we'll find out that some of the stateful firewalls we're working with are basically akin to passive IDS engines rigged to packet filters; something of a more tightly intergrated NetRanger system. I'd be surprised if insertion and evasion couldn't be leveraged in that situation. As an example of what I'm getting at, has anyone tried Fyodor's "nmap" tool (http://www.dhp.com/~fyodor) to scan through a stateful firewall and seen what made it through? If something makes it through unexpectedly, does this tell you something? ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: Relevance of IDS Results to Stateful FWs tqbf (Feb 16)