Intrusion Detection Systems mailing list archives

transport scrubbing

From: Dug Song <dugsong () monkey org>
Date: Thu, 10 May 2001 21:49:45 -0400

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
On Thu, May 10, 2001 at 12:56:00PM -0700, Jeff Nathan wrote:

if you normalize traffic upstream, you won't ever see "non-normalized"
traffic downstream... ?


Whatchu talkin' about, Willis?  I meant downstream traffic, I don't
know of any reasonable way to prevent fragmentation between one
network and another based upon layer 2 technologies.


i'm not sure what you're speaking to, but i'm certainly not arguing
for packet reassembly - only active resolution of certain ambiguities
(such as IP fragment / TCP segment overlap) for devices further
downstream (including passive network monitors).

wrt to firewalls and routers:

Yeah, but we've got mechanisms to provide redundancy for those
devices, we'd need the same for the IDS it seems.


you just need to think outside the box. network IDS does not have to
be completely passive. in fact, it *can't* be, if you want to have any
confidence in it. this was the point of the SNI paper.

as for redundancy, IP Filter already performs some minimal scrubbing,
as i've mentioned here before:

        http://msgs.securepoint.com/cgi-bin/get/ids-0009/68/1.html

and its nascent fail-over and redundancy features look promising.

this is already true of application proxy firewalls. easy enough
to just implement the lowest common denominator...


Ewwww..


better to implement (and enforce) the published standard, than get
caught in the trap of trying to correctly handle every bogus
vendor-specific extension. better for security, anyhow.

IDS development seems to really be pushing the envelope that was
originally pushed by firewall development.


the line between stateful inspection firewalls and network IDS grows
fuzzier everyday...

-d.

---
http://www.monkey.org/~dugsong/

Current thread:

Re: RE: sequence No. Jeff Nathan (May 10)
- transport scrubbing Dug Song (May 11)
- <Possible follow-ups>
- Re: RE: sequence No. Jeff Nathan (May 10)
  - RE: RE: sequence No. Bill Royds (May 11)