[svlug] Proxy/Forwarding tool/code

Rick Moen rick at linuxmafia.com
Wed Aug 30 21:53:01 PDT 2000

Previous message: [svlug] Proxy/Forwarding tool/code
Next message: [svlug] Firewalling ICMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

begin  J C Lawrence quotation:

> A damned interesting (and seemingly very perceptive) product per my
> play with it here (thinking about it for a current client).  There's
> precious little being done in the Open Source arena for real IDS
> tools, and most especially for NIDS tools.

I really doubt the latter work properly.

In order for them to function, NIDS suites have to (among other things)
reassemble incoming fragmented packet streams, and deal correctly with
a tremendous variety of malformed traffic.  For starters, that can take
a great deal of processing power, and it strains credulity that typical
boxen devoted to that purpose will be able to keep up.

Of course, also, a number of attacks and probes _rely_ on malformed
traffic.  Evaluations of such tools I've heard suggest that they tend to
ignore much of that malformed traffic, which is _not_ the right thing to
do.

I lean towards suspecting it's snake oil (and would in general terms
favour the host-based approach).  But then, snake oil is woefully
prevalent in this field.

-- 
Cheers,                   "Teach a man to make fire, and he will be warm 
Rick Moen                 for a day.  Set a man on fire, and he will be warm
rick at linuxmafia.com       for the rest of his life."   -- John A. Hrastar

Previous message: [svlug] Proxy/Forwarding tool/code
Next message: [svlug] Firewalling ICMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list