Re: fragroute vs. snort: the tempest in a teacup

[jan () nil si]

> bastion hosts.  Most firewalls these days (especially Linux and OpenBSD
> ones) actually do reassembly inbound. This was an interesting point
...
> So in practice, the fragment level obfuscations are usually
hidden/scrubbed
> from internal snort sensors by the firewalls..

This is NOT true. At least the Cisco PIX and (correct me if I am wrong)
Checkpoint
FW-1, which together represent MOST firewalls out there, do not perform
true
reassembly. The PIX, for example, collects all the fragments, checks them
for some
basic overlaps (like TCP header overwrite) and then pass them on as they
were
originally fragmented. According to Lance's paper, if Checkpoint has not
modified
their code in FW-1 NG, roughly the same thing will happen

Also, you focus on an IDS as always being behind the firewall, which is
often
not the case. Perhaps there are no firewalls around at all.

Here are some references on FW-1:

http://www.enteract.com/~lspitz/fwtable.html
http://www.phoneboy.com/faq/0420.html

The real issue has always been about HOW does the IDS try to reassemble
frags, when it has no idea how the target would reassemble them. In every
possible way? For me, it is often enough for an IDS to alarm about
suspicious fragmentation events, which can be investigated by a
human if enough forensics are available.

But from this point, let's not go into the debate whether folks who use PIX
or
FW-1 also commonly use Snort ;)

Regards,
Jan

Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer

NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si