Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

• Previous message: David W. Goodrum: "Re: session logging IDS"
• In reply to: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Next in thread: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Reply: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ids@securityfocus.com
Date: Tue, 31 Aug 2004 00:07:50 +0000 (UTC)

On 2004-08-30, Mike Frantzen <frantzen@nfr.com> wrote:
> This is going to be an extremely controversial answer that the security
> purists probably will not like. But they're fun to piss off so here goes.

Hehhehe, while my job at Reflex is leading our IPS development, my
research at the GTISC is a bit more pure -- I hope my somewhat
theoretically-minded answer earlier didn't paint me an ivory
towerist :D. Regarding your well thought-out comments:

> The real benefit of a full fledged TCP state machine is knowing when to
> expire an idle connection. If we expire a connection too early, then
> the next packet that comes in on it will appear to be a new connection
> and several things may happen:

You list several problems with timing out sessions too early, but none
with timing them out too late. For the sake of argument, what problems
do you see with simply idling out via necessities of LRU applied to a
fixed-size flow cache (obviously, sessions could still be closed based
on 4-way TCP teardown, RST abortion or SYN/OOW xmit, modulo the guesswork
typically involved in such)? A much less intensive state machine can be
developed in this case, if one's merely concerned with the problems
you've raised (I noted several other benefits from a detection
standpoint in my earlier answer).

> 3) you lose the TCP window scale value
> 4) the connection will break if you only allow state creation on a SYN
> 5) any sequence number modulation will break the connection
> 6) any TCP timestamp modulation will probably break the connection

Are these not issues arising from the use of a half-hearted attempt at
TCP tracking, as opposed to a lack thereof in toto?

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."

• Previous message: David W. Goodrum: "Re: session logging IDS"
• In reply to: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Next in thread: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Reply: Mike Frantzen: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] Cisco PIX TCP Connection Prevention ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ... (Full-Disclosure) [Full-disclosure] Cisco PIX TCP Connection Prevention ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ... (Full-Disclosure) [NEWS] Cisco PIX TCP Connection DoS ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ... (Securiteam) FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn ... TCP network connections use an initial sequence number as part of the ... incoming connection is being established, ... Systems running insecure protocols which blindly trust a TCP ... requiring other authentication of the originator are vulnerable to ... (FreeBSD-Security) Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) ... If we expire a connection too early, ... The way we solved this at NFR is to never expire idle TCP states. ... For example the timeout for the SYN|ACK may have been ... (Focus-IDS)