IDS mailing list archives
RE: Hub vs. Tap vs. SpanPort
From: simon.thornton () swift com
Date: Mon, 14 Oct 2002 15:02:24 +0200
Hi Petr, ST> IDS is connected to the internet side of the firewall. ST> Hacker uses an exploit (which one is irrelavent) with ST> the SRC IP address being that of root DNS servers. . PR> I always thought that using statefull firewall gives PR> an ability to check state table for entries before PR> access list. So queries from internal DNS, beeing allowed You are correct, the catch in this case was that the IDS was connected BEFORE the firewall, no filtering took place on the traffic before the IDS caught it. As the IDS intructed the firewall to block access to these root nameservers using rules inserted at the beginning of the rulebase it effectively overrode any previously implemented rules. The cases I mentioned were simplified and sanitised to illustrate the risk of out-of-the-box responses to detected anomalies. If the IDS solution had been designed properly and care taken to white-list critical systems then this sort of problem could have been avoided. Rgds, Simon
Attachment:
smime.p7s
Description:
Current thread:
- RE: Hub vs. Tap vs. SpanPort simon . thornton (Oct 14)