Re: traffic normalizer for ipfw?

From: Kurt Seifried (listuser_at_seifried.org)
Date: 02/20/04

  • Next message: Ted Cabeen: "Re: Question about securelevel" 
    To: "Darren Reed" <avalon@caligula.anu.edu.au>
Date: Fri, 20 Feb 2004 02:21:27 -0700

    > > It's not like you HAVE to use it. It's an option, you can use it, or
    not. As
    > > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd
    say
    > > scrub is more an IPS style feature then IDS since it actively
    manipulates
    > > the data to make it less "dangerous") please let's not go there, it's
    > > pointless.
    >
    > Cripes, and you claim to be a publisher of security related information?
    >
    > Well, I suppose if you are then you're press and we all know how good
    > the press are at getting technical things "right".

    If you really must flame me can you do it offlist to spare everyone the
    tedium? BTW since when am I "the press"? This is news to me.

    > "scrub" won't do a damn thing about making data "less dangerous".
    > And it's not an IPS either (it won't do anything about preventing
    > someone from using an IIS/apache exploit in your web farm.)

    No but it will prevent some protocol level exploits/etc that can make
    applications and systems puke their guts up (yes, some TCP-IP stacks suck
    that much). Stopping a denial of service attack (intentional or otherwise)
    sounds like a typical IPS related function, not an IDS function. In any
    event this sort of prooves how pointless the IDS/IPS argument is (everyone
    is quite happy to disagree on what they are/do).

    > All it does is try and clean off rough edges of packet header fields
    > so that they fit into an IDS's picture of the world more easily.
    >
    > That's it. Well, they have extended the 'scrub' facility to do other
    > things that could just as easily be done elsewhere but it is definately
    > NOT an IPS (and anyone selling it as such is a fraud.)

    Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an
    IPS. In any event this sort of prooves how pointless the IDS/IPS argument is
    (everyone is quite happy to disagree on what they are/do).

    If you want to continue this discussion off list in a civil manner I'd be
    glad to, otherwise I'm done.

    > Darren

    -Kurt

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Ted Cabeen: "Re: Question about securelevel"