Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: tqbf () secnet com
Date: Sun, 15 Feb 1998 01:11:57 -0600 (CST)
forgive me if I've read this wrong - but this sounds like a app proxy firewall does it not?
Yeah, I realize that it does.
OK its a firewall with much better alarming and logging. But in normal security (I mean physical) an IDS is a detection system - it does not provide a major response, though it may assist in the apprehension phase.
This is where I (and I suspect most IDS researchers) will disagree with you. An IDS is simply a system that attempts to detect misuse of computer resources. There's no rule that says the system needs to be unobtrusive. Note that when I discuss whether or not an IDS allows packets to pass, I do so with the vision that an IDS is only going to block traffic it can't understand; it's not a general access control device, and the traffic allowed through by an IDS can be extremely (and obviously) dangerous. The only requirement is that traffic only makes it through when its meaning is unambiguous.
What I can see here is a transparent proxy IDS sitting on the wire proxying all the packets, but not attempting to fit them against rules, just passing them through the proxy layers Think of a App Proxy firewall with ANY to ANY rule set to allow.
Yep. This is PRECISELY what I am envisioning. Someone else's term for this was (excuse me) a "normalizing gateway".
packets or cronicly overlapped packets). BUT it would not try and fix the packets - if anything this is the firewall's job, otherwise it would be
Sure. The proxy IDS can always just drop anything it doesn't understand.
This will cut down the attacks via TCP stacks, but still not handle the problem of 'conventional' attacks - via buffer overflow etc. It seems we
This addresses a higher level problem with intrusion detection. The current commercial systems we have all tend to follow the "misuse detection" model of IDS, where the IDS looks for specific, previously known patterns of abuse. This has two limitations: first, it only detects attacks known by the IDS (this is not a limitation of many other systems!), and second, that the manner in which the IDS detects a known attack must address all possible variations of the attack for it to be effective. You could write a book about all the problems with designing intrusion detection systems. We don't purport to have all the answers, or even to catalog all the problems. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Important Comments re: INtrusion Detection tqbf (Feb 13)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)