Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

[nick black <dank () qemfd net>]

On 2004-08-25, Thomas Ptacek <tqbf () arbor net> wrote:
> Why do we think this is true?
> What are the security benefits of watching sequence numbers, the TCP 
> state machines, and options? 
> I'm sure there are lots of good reasons for stateful tracking of 
> sessions, but I'd like to hear them stated authoritatively.

Here's an initial stab; flame away:

Let's base intrusion detection's success on maximizing nu as defined in
Equation 1 of [ Lee 2002 ].  It's asserted that proper analysis will
require the extensive state whose value you question, and accepted that
this affects tau(rho) (time spent analyzing).  So long as tau(rho) is
bounded, however, dropless analysis can be guaranteed for certain
workloads.  This derives from real-time theory.

Thus, addition of state tracking coded in a strictly bounded fashion
should not negatively affect detection as a result of packet loss, so
long as lower ceilings on workloads are acceptable.  We need now
only compare the value of larger workloads with the value of state
tracking's (possibly detrimental) effects on accuracy and completeness, 
yes?  The chosen model assigns costs C(alpha) and C(beta) to false
positives and false negatives respectively, so we can say that, given

 tau(rho)` = tau(rho) scaled by the vector of accuracy/completeness
  probability effects resulting from the state tracking 

and that the cost of a lower workload ceiling is always non-negative, the
state tracking is useful if: 

 C(lower workload ceiling) < tau(rho)` - tau(rho)

So, what's the likelyhood that state tracking improves tau(rho)` more
than C(LWC)?  State tracking gives us, at a minimum:

  the ability to detect certain fragmentation-based attacks
  detection of common evasion techniques, an anomaly which can be
   intelligently used to shape analysis 
  exploit- and vulnerability-based analysis across protocol data units
  the ability to detect more than simple anomalies (a counterexample
   would be [ Wang 2002 ]'s CUSUM method).
  
These are heady wins.  An alternative, as you note, is extensive
proxying.  This only shifts the burden and control of state tracking to
the operating system's networking stacks, where it cannot be as easily
accessed for feedback or analysis by the detection system.

With regards to C(LWC), every figure I've ever heard about IDS
performance has sounded so meaningless that pinning any specific costs
seems a lost cause.

> (Also, do all stateful firewalls actually reassemble IP fragments? What 

Linux's ip_conntrack module appears to fully defragment via
ip_conntrack_in->ip_ct_gather_frags->ip_defrag.

> happens when they encounter asymmetry?

In what sense do you mean?   Overlapping fragments, data protean among
fragment duplicates, or something else?

> Is it enough just to drop fragments?)

When filtering a fragment in our IPS mode, I expect any transport protocol 
implementing ARQ to elicit retransmission of the packet.  We must be
prepared to filter the offending fragment again, and whether to skip
further analysis for fragments bearing the same IPv4 ID is a complex
question :).

> (ObDisclaimer: I'm a full-proxy partisan).

It has its definite advantages, as coping with issues raised in your and
Newsham's paper has taught me :).  We've taken this path for our AV
system at Reflex.

[ Lee 2002 ] Wenke Lee et al, "Performance Adaptation in Real-Time
        Intrusion Detection Systems."

[ Wang 2002 ] Wang et al, "Detecting SYN Flooding Attacks."

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."