Intrusion Detection Systems mailing list archives

Fragmentation Question

From: gshipley () neohapsis com (Greg Shipley)
Date: Wed, 13 Oct 1999 17:22:52 -0500 (CDT)




Okay, assuming that Dragon and NFR are the only two Network-based
Intrusion Detection systems that do packet re-assembly, I've been trying
to think through a solution for people wanting to use other ID products
(RealSecure, NetRanger, etc.) and still allow them to be useful.  I see a
few options:

1. Deny all fragments into the network.  I see this is a bad idea, but I
do wonder, how many "natural" fragmented packets appear natively on the
Internet.  I would imagine a fair amount, but I don't have the slightest
idea how to hunt down statistics on this.

2. Have some perimeter device re-assemble fragmented packets BEFORE they
get to the IDS.  Two options: the router, or the firewall, yeah?  Now, in
a multi-homed, multi-router environment, IMHO, forcing re-assembly is NOT
an option (fragmented packets could come in from two or more directions).  
This leaves the firewall, and I'm not even going to open the can of worms
surrounding firewall load balancing.

So let's assume a single firewall.  Who does this?  I did some digging
with Checkpoint, and they do (ready for this?) "virtual packet
re-assembly."  That is, according to their documentation, they will
re-assemble the packet for purposes of inspection, but then transmit the
fragments back out of the interface.  So fragments in -> fragments out.  
I opened a trouble ticket with them, and the answer I got back was "No, we
don't do packet re-assembly - can't be done."  Does anyone else have any
info on this?

I did some digging through Cisco's PIX documentation (v4.x), and found a
bunch of things talking about packet fragmentation.  I found a way to deny
all fragmented packets, but I did NOT find a way to force re-assembly.
Does anyone know if the PIX can?  If so, how?  I tried to open a TAC case
but they wouldn't let me without a PIX serial number.  I tried to explain
that it was a, uh, pre-sales question but that didn't seem to work.

Ugh.

So what are our options?  Is there anything I'm missing here?

-Greg

Current thread:

Re: Assessment tools/Scanners, (continued)
- Re: Assessment tools/Scanners Vin McLellan (Oct 10)
  - Re: Assessment tools/Scanners Dug Song (Oct 10)
    - Re: Assessment tools/Scanners Marcus J. Ranum (Oct 10)
    - Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 11)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Pricing intrusions Stuart Staniford-Chen (Oct 12)
    - Re: Pricing intrusions Marcus J. Ranum (Oct 13)
    - Re: Pricing intrusions Fernando Trias (Oct 13)
    - Fragmentation Question Greg Shipley (Oct 13)
    - Re: Fragmentation Question Dug Song (Oct 14)
    - Re: Pricing intrusions Ryan M. Ferris (Oct 14)
    - Re: Pricing intrusions Stuart Staniford-Chen (Oct 13)
  - Re: Assessment tools/Scanners Greg Shipley (Oct 11)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 11)
    - Re: Assessment tools/Scanners Greg Shipley (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Re: Assessment tools/Scanners Dug Song (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Introduction mcondy (Oct 12)

(Thread continues...)