From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 01:21:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B76416A4CE for ; Fri, 20 Feb 2004 01:21:50 -0800 (PST) Received: from punky.seifried.org (punky.seifried.org [216.194.67.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C1D043D2D for ; Fri, 20 Feb 2004 01:21:50 -0800 (PST) (envelope-from listuser@seifried.org) Message-ID: <028101c3f792$eaf115a0$1400000a@bigdog> From: "Kurt Seifried" To: "Darren Reed" References: <200402200910.i1K9AIoe005185@caligula.anu.edu.au> Date: Fri, 20 Feb 2004 02:21:27 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kurt Seifried List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 09:21:50 -0000 > > It's not like you HAVE to use it. It's an option, you can use it, or not. As > > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd say > > scrub is more an IPS style feature then IDS since it actively manipulates > > the data to make it less "dangerous") please let's not go there, it's > > pointless. > > Cripes, and you claim to be a publisher of security related information? > > Well, I suppose if you are then you're press and we all know how good > the press are at getting technical things "right". If you really must flame me can you do it offlist to spare everyone the tedium? BTW since when am I "the press"? This is news to me. > "scrub" won't do a damn thing about making data "less dangerous". > And it's not an IPS either (it won't do anything about preventing > someone from using an IIS/apache exploit in your web farm.) No but it will prevent some protocol level exploits/etc that can make applications and systems puke their guts up (yes, some TCP-IP stacks suck that much). Stopping a denial of service attack (intentional or otherwise) sounds like a typical IPS related function, not an IDS function. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). > All it does is try and clean off rough edges of packet header fields > so that they fit into an IDS's picture of the world more easily. > > That's it. Well, they have extended the 'scrub' facility to do other > things that could just as easily be done elsewhere but it is definately > NOT an IPS (and anyone selling it as such is a fraud.) Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an IPS. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). If you want to continue this discussion off list in a civil manner I'd be glad to, otherwise I'm done. > Darren -Kurt