Re: Mod FWD

["Marcus J. Ranum" <mjr () nfr net>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi, Tom, good to see you're still around!

tqbf () skoda sockpuppet org wrote:
> > and see. That'd suck really really badly. If an IDS can't do
> > reassembly, it's better off not doing anything at all.
>
> I don't understand the practical difference between being vulnerable
> to "fragrouter" and being vulnerable to any one of 5-10 other
> desynchronization attacks that one could implement.

Well, as I see it, timing is everything. When you published
your first paper on IDS evasion, there were several vendors
that didn't even address "fragrouter" for over a year. So,
it's one thing to be susceptible to a new attack, but another
thing to be susceptible to a widely-published attack for a
very long time. Yes, you're right that any susceptibility is
a bad thing, but I hope you'll agree that _knowingly_ being
susceptible to an issue and not doing anything about it (except
continuing to shovel products out the door) is really lame.
A vendor should react rapidly and effectively to these
kinds of issues - at NFR we certainly have, and everyone
knows it.

>  Is NFR willing
> to publically submit their software to be tested, openly, for
> susceptability to evasion?

I'm always interested in seeing credible tests performed on
our products, to ensure that they're as good as they possibly
can be. If you'll recall, the last time you tested IDS, NFR
was the vendor that had the implementation that handled your
tests better than anyone else - and we were the one vendor that
immediately fixed the issues you _did_ identify. It took the
other guys, what, a year or two before they even got reassembly
into their engines?

So, sure, if you're going to be doing more testing, we'd
be happy to supply you with a copy of NFR, assuming, of course,
that you work with us in a responsible manner, and are also
testing other IDS products as well. Frankly, I expect that
if you do more testing your results will serve primarily to
make us look good (again) compared to the competition. Unless,
of course, you've got some hidden bias I don't know about.

> Or are you just going to ignore the problems that you CAN'T fix?

<Austin Powers Voice>Oh, behave.</Austin Powers Voice>
If I can push a technology to the point where the problems
remaining are unsolvable, then I figure I've done my job.
So, please, enlighten me!

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com