IDS mailing list archives
Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
From: nick black <dank () qemfd net>
Date: Thu, 26 Aug 2004 08:22:26 +0000 (UTC)
On 2004-08-25, Thomas Ptacek <tqbf () arbor net> wrote:
Why do we think this is true? What are the security benefits of watching sequence numbers, the TCP state machines, and options? I'm sure there are lots of good reasons for stateful tracking of sessions, but I'd like to hear them stated authoritatively.
Here's an initial stab; flame away: Let's base intrusion detection's success on maximizing nu as defined in Equation 1 of [ Lee 2002 ]. It's asserted that proper analysis will require the extensive state whose value you question, and accepted that this affects tau(rho) (time spent analyzing). So long as tau(rho) is bounded, however, dropless analysis can be guaranteed for certain workloads. This derives from real-time theory. Thus, addition of state tracking coded in a strictly bounded fashion should not negatively affect detection as a result of packet loss, so long as lower ceilings on workloads are acceptable. We need now only compare the value of larger workloads with the value of state tracking's (possibly detrimental) effects on accuracy and completeness, yes? The chosen model assigns costs C(alpha) and C(beta) to false positives and false negatives respectively, so we can say that, given tau(rho)` = tau(rho) scaled by the vector of accuracy/completeness probability effects resulting from the state tracking and that the cost of a lower workload ceiling is always non-negative, the state tracking is useful if: C(lower workload ceiling) < tau(rho)` - tau(rho) So, what's the likelyhood that state tracking improves tau(rho)` more than C(LWC)? State tracking gives us, at a minimum: the ability to detect certain fragmentation-based attacks detection of common evasion techniques, an anomaly which can be intelligently used to shape analysis exploit- and vulnerability-based analysis across protocol data units the ability to detect more than simple anomalies (a counterexample would be [ Wang 2002 ]'s CUSUM method). These are heady wins. An alternative, as you note, is extensive proxying. This only shifts the burden and control of state tracking to the operating system's networking stacks, where it cannot be as easily accessed for feedback or analysis by the detection system. With regards to C(LWC), every figure I've ever heard about IDS performance has sounded so meaningless that pinning any specific costs seems a lost cause.
(Also, do all stateful firewalls actually reassemble IP fragments? What
Linux's ip_conntrack module appears to fully defragment via ip_conntrack_in->ip_ct_gather_frags->ip_defrag.
happens when they encounter asymmetry?
In what sense do you mean? Overlapping fragments, data protean among fragment duplicates, or something else?
Is it enough just to drop fragments?)
When filtering a fragment in our IPS mode, I expect any transport protocol implementing ARQ to elicit retransmission of the packet. We must be prepared to filter the offending fragment again, and whether to skip further analysis for fragments bearing the same IPv4 ID is a complex question :).
(ObDisclaimer: I'm a full-proxy partisan).
It has its definite advantages, as coping with issues raised in your and Newsham's paper has taught me :). We've taken this path for our AV system at Reflex. [ Lee 2002 ] Wenke Lee et al, "Performance Adaptation in Real-Time Intrusion Detection Systems." [ Wang 2002 ] Wang et al, "Detecting SYN Flooding Attacks." -- nick black "np: the class of dashed hopes and idle dreams."
Current thread:
- Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Jacob Winston (Aug 18)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Ron Gula (Aug 19)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Gary Halleen (Aug 19)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Rob Shein (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Shaiful (Aug 24)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Srini (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 29)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Ron Gula (Aug 19)
- <Possible follow-ups>
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Fulp, J.D. USA (Aug 18)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Brito, Nelson (ISS Brazil) (Aug 20)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Jose Maria Lopez (Aug 30)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Bob Walder (Aug 31)