Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.

• Previous message: Thomas Pollet: "Re: [Full-Disclosure] [RE: Test scripts for NIDS]"
• In reply to: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Empirical data surrounding guards and firewalls."
• Next in thread: James Tucker: "Re: [Full-Disclosure] Empirical data surrounding guards and firewalls."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "gadgeteer@elegantinnovations.org" <gadgeteer@elegantinnovations.org>
Date: Fri, 3 Sep 2004 11:49:25 +0100

Yes, I realised that last night.

It is interesting, but I think in his attempt to disproove the
anology, he came up with a very comparable one.

The firewall at McDonalds.com seems to filter all data to all ports
other than port 80. You cant enter a McDonalds resteraunt through
anything but the door.

The firewall is not content filtering, thus does not stop bad requests
passign through it.
The door does not stop people for incorrect attire.

The webserver returned a 404 error when a request was made for
something which did not exist there.
It is now at this point we start to see this anology fall down, but
that is because the two situations are in fact different. Technically,
you could argue that the poor attire was in breach of protocol. This
would prompt a different response than the equivalent supplied here in
the example of the virtual world.

More accurately, the packet (Evol) was should not have been in breach
of protocol, as his virtual packet never was. In fact he should have
requested something that was not on the menu. The response would have
been very much like Error 404 Item On Menu Not Found.

Of course anaolgies fall down when they are not actually built to be
the same thing. Without adding more kindling to the fire, this is
possibly one of the better analogies I have seen for a simple allowed
connection to a webserver.

Now the problem with explanding an anaolgy is that it is hard to find
appropriate comparative things.

Lets use an example of one of the old IIS exploits. The erronous data
for many of the old IIS exploits is actually a breach of the HTTP
protocol. Some firewalls can use content filtering against this, this
would be comparable to a "detector" on the door looking for a person
(packet) carrying an illegal object (an illegally formed request). If
the firewall is not content filtering the data reaches the webserver,
and the webserver DoSes when the data is read. Well, this is hard to
equate; its like the person walking up to the attendant and shouting
at them in a forreign language, with sufficient intensity to knock
them unconcious. Unconcious is difficult still, as neural nets
(brains) are very good at recovering from this kind of problem,
whereas computers end up in infinate loops with equal ease.

It is likely that abstraction is a better way of teaching this kind of
thing. You need to teach at one level in the stack at a time. The
other levels could be thought of as having interfaces, and you can
maybe describe some functionality of the interface in a less than
fully accurate way. But... It's a bit like trying to teach RF to an IP
guy though, much of the time they just dont get it.

Anyway, I think Frank has some very well written arguments on this
problem, I don't feel we are going to be able to develop much more
useful from the discussion until a good idea for a solution to the
lack of time vs. not using anolgies problem is found. Who ever said
teaching was easy?

EOF, EOT, EOD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Thomas Pollet: "Re: [Full-Disclosure] [RE: Test scripts for NIDS]"
• In reply to: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Empirical data surrounding guards and firewalls."
• Next in thread: James Tucker: "Re: [Full-Disclosure] Empirical data surrounding guards and firewalls."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]