Re: RE: IPv6 support in IDS/IPS products
From: David Williams (dwilliamsd_at_gmail.com)
Date: 11/10/05
- Previous message: Tony Haywood: "RE: Intrusion Prevention requirements document"
- In reply to: barcajax_at_gmail.com: "Re: RE: IPv6 support in IDS/IPS products"
- Next in thread: Mike Barkett: "RE: IPv6 support in IDS/IPS products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Nov 2005 18:11:22 -0500 To: "barcajax@gmail.com" <barcajax@gmail.com>
First, if you're doing security you should NEVER "assume" anything.
That's a sure fire way to NOT get what you want out of a product.
Second, the U.S. Government has lots of checkboxes. Common Criteria,
FIPS 140, etc. IPv6 can be viewed as a checkbox if you don't ask the
right question, which is why I specifically am interested in not on
the ability to "detect IPv6", but to actually properly decode IPv6,
all the IPv6 methods, IPv6 tunnels, and other weirdness that I
probably don't know about. We never ask enough questions about the
ways our vendors implement these requirements and it gets us in
trouble.
For example, in IPv4 a typical header is normally 20bytes, but could
be slightly larger, let's say 60bytes. Not a big deal for most
people, and even old ASIC technology can handle 64 byte headers. But,
a normal IPv6 header with options, and tunneling, could easily exceed
the 64 byte header length, since it's arbitrary. A smart hacker could
add enough options and tunnels to extend the header length to well
past 1K (assuming a large MTU). I seriously doubt most vendors have
accounted for this. So, when Cisco claims "enhanced visibility", I
note that they did NOT answer my question specifically, and they don't
go into any details about how they do it. The phrase "we detect IPv6"
is not the same as the answer given by ISS & NFR. I'd like to
actually more fully explore those answers, which I will do once I
create a Matrix from vendors that give an appropriate response,
because I STILL don't believe them.
People ask questions around buzzwords, they get an answer, and then
don't follow up with more detailed questions, because they assume
vendors are doing the right thing... when in reality, many vendors
will simply do "just enough".
Sorry for the rant... I've gotten burned by making "assumptions".
-d
On 8 Nov 2005 00:34:12 -0000, barcajax@gmail.com <barcajax@gmail.com> wrote:
> I think its safe to assume that most of the IDS/IPS products support IPv6 because its a U.S. government requirement if I'm not wrong. From personal experience, nfr Sentivist is IPv6 aware.
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Tony Haywood: "RE: Intrusion Prevention requirements document"
- In reply to: barcajax_at_gmail.com: "Re: RE: IPv6 support in IDS/IPS products"
- Next in thread: Mike Barkett: "RE: IPv6 support in IDS/IPS products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
