RE: Firewall and IDS, (the second way).

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Wed Mar 20 2002 - 05:35:57 PST

Next message: Jirka Kosina: "Re: Buffer overflow in awk"

Previous message: Ron DuFresne: "Re: useless security@ contacts"
In reply to: Pedro Quintanilha: "RE: Firewall and IDS, (the second way)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We probably mis-understood each other :)

NIDS just sniffs on some network place. If you happen to flood some other
host, and NIDS can see that flood it can dynamically reconfigure router to
change it's ACLs and to cut you off. If everything is on the other side of
the network, meaning that you are somewhere in the Internet there is no way
that you'll see any packet that came from NIDS as it only:

1) sniffs the network
2) sends command to it's router

Just my 2 cents ...

Best regards,

Bojan Zdrnja


> -----Original Message-----
> From: Pedro Quintanilha [mailto:PQuintanilhaat_private]
> Sent: 20. ozujak 2002 13:06
> To: Bojan.Zdrnjaat_private; vuln-devat_private
> Subject: RE: Firewall and IDS, (the second way).
> 
> 
> 
> Yeap. But if the Firewall (or another block device) was 
> dinamically configured to block your packets, then it“s so 
> possible that you touch a nIDS and it causes the reconfiguration.
> 
> 
> Pedro Quintanilha
> Seguranēa da Informaēćo
> Editora Abril s/a
> pquintanilhaat_private
> +55-11-3037-4297
> 
> 
> 
> -----Original Message-----
> From: Bojan Zdrnja [mailto:Bojan.Zdrnjaat_private]
> Sent: Wednesday, March 20, 2002 8:32 AM
> To: Pedro Quintanilha; vuln-devat_private
> Subject: RE: Firewall and IDS, (the second way).
> 
> 
> 
> 
> > -----Original Message-----
> > From: Pedro Quintanilha [mailto:PQuintanilhaat_private]
> > Sent: 18. ozujak 2002 21:41
> > To: vuln-devat_private
> > Subject: RE: Firewall and IDS, (the second way).
> > 
> > 
> 
> > 
> > - IP Ban (drops, ICMP unreachables)
> > 
> > 	Another good method to detect the presence of a nIDS. 
> > Some administrators configure nIDSs to act on Firewalls (f.e. 
> > OPSEC) to block any traffic from a IP that is source of a 
> > flood of many kinds of packets, like ICMP flood, port-scans, 
> > etc. So, if you want to detect it, you just need to generate 
> > a flood, and capture the return packets. If you suddenly 
> > start to receive ICMP port/host/net unreachabes, or stop to 
> > receive target host“s responses (ACKs, ICMP Echo-Replies, 
> > etc), then you probably hit a nIDS.
> 
> Correct me if I'm wrong, but IDS will act upon firewall which 
> will at the end change it's ACL. So it's firewall who will 
> cut your ability to connect to other host and I don't think 
> you are able to receive any packet from NIDS - only one who 
> should receive something is firewall.
> 
>

application/ms-tnef attachment: winmail.dat

Next message: Jirka Kosina: "Re: Buffer overflow in awk"
Previous message: Ron DuFresne: "Re: useless security@ contacts"
In reply to: Pedro Quintanilha: "RE: Firewall and IDS, (the second way)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 22:07:32 PST