Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: marc () sniff ct-net de
Date: Sat, 14 Feb 1998 19:24:25 +0000 (GMT)
Darren Reed <darrenr () cyber com au> wrote:


One conclusion from this is might be that  an IDS is only truely
possible if implemented as a proxy gateway of sorts or otherwise


I agree with proxies ...


performs as a mediator of packets as a firewall might be expected
to do.  Do you agree with this ?


... but I wouldn't expect every stateful firewall to rebuild the
IP or TCP Headers (is there _any_ stateful firewall doing so?).
With "rebuild" I am thinking of a firewall picking out all relevant
information but not the redundant one (like checksums) and send out
an IP packet with a copy of the relevant stuff and a checksum
calculated on its own (and header length, and reserved bits = 0,
and ...). If the firewall doesn't, the insertion attack will
still work.

Regards, Marc
-- 
Marc Binderberger                                 97076 Wuerzburg, Germany
marc () sniff ct-net de                              Powered by FreeBSD ;-)
Previous By Date Next
Previous By Thread Next

Current thread: