Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Darren Reed <darrenr () cyber com au>
Date: Sun, 15 Feb 1998 13:39:12 +1100 (EST)
In some mail I received from Craig Brozefsky, sie wrote
On Sat, 14 Feb 1998, Darren Reed wrote:In some mail I received from tqbf () secnet com, sie wrote [...]However, we do not see a way in which sniffer-driven ID systems can accurately detect SPECIFIC TYPES of attacks in IP traffic. We are not contesting the fact that it is possible to detect traffic that is likely "malicious", and we are not saying that it is impossible to detect the fact that a network is being attacked. The issue is that sniffers cannot isolate (most types of) specific attacks from any other type of attack.[...] One conclusion from this is might be that an IDS is only truely possible if implemented as a proxy gateway of sorts or otherwise performs as a mediator of packets as a firewall might be expected to do. Do you agree with this ?I would disagree, as this conclusion would not take into account the need for a secondary source of information regarding the hosts which are possible targets. There is a strong need for context to be able to identify specific attacks on hosts. You are not given this information because your an application proxy vs. a packet filter.
...and how is that secondary source there when it is just a passive listener and not there when it is a proxy ? I think I'm missing something you're implying. As per a proxy firewall, you have hosts on "each side". One side you care about, the other you don't. Or you might care about them in both directions if you want to stop people from using your site as a launchpad for attacks. Darren
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)