RE: Covert Channels

[Jeff Nathan <jeff () wwti com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Thursday, October 17, 2002 21:02:16 +0100 Dom De Vitto 
<dom () DeVitto com> wrote:

[...]

> I'd also suggest you check out cutting edge anti-ids techniques,
> including using urgent data points and boundary anomalies to cause
> IDSs to reform data streams differently to OS IP stacks.

[...]

> Dom
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Dom De Vitto                                       Tel. 07855 805 271
> http://www.devitto.com                         mailto:dom () devitto com
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I wouldn't want to nit-pick but in the case of stream reassembly evasion 
and NIDS evasion in general, those sorts of techniques are at least 4 years 
old.  In the case of urgent data there still may be some valid evasion 
techniques lingering from historical implementations but their result will 
largely be an off-by-one in the handling of  urgent data for strictly RFC 
compliant stacks.

An inline device, of course, doesn't suffer from these issues.  It simply 
enforces a policy, including that of dropping packets that aren't quite 
right.

- -Jeff

- --
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9sDrEEqr8+Gkj0/0RAowAAJ9CMfX/SeafPoLm6r3xpZ+8PC8U3QCgj2ZX
Y2klv4OiOwnejyRyHvk5+4I=
=ZY1H
-----END PGP SIGNATURE-----