Date: Fri, 20 Feb 2004 02:21:27 -0700 From: "Kurt Seifried" <listuser@seifried.org> To: "Darren Reed" <avalon@caligula.anu.edu.au> Cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? Message-ID: <028101c3f792$eaf115a0$1400000a@bigdog> References: <200402200910.i1K9AIoe005185@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> > It's not like you HAVE to use it. It's an option, you can use it, or not. As > > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd say > > scrub is more an IPS style feature then IDS since it actively manipulates > > the data to make it less "dangerous") please let's not go there, it's > > pointless. > > Cripes, and you claim to be a publisher of security related information? > > Well, I suppose if you are then you're press and we all know how good > the press are at getting technical things "right". If you really must flame me can you do it offlist to spare everyone the tedium? BTW since when am I "the press"? This is news to me. > "scrub" won't do a damn thing about making data "less dangerous". > And it's not an IPS either (it won't do anything about preventing > someone from using an IIS/apache exploit in your web farm.) No but it will prevent some protocol level exploits/etc that can make applications and systems puke their guts up (yes, some TCP-IP stacks suck that much). Stopping a denial of service attack (intentional or otherwise) sounds like a typical IPS related function, not an IDS function. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). > All it does is try and clean off rough edges of packet header fields > so that they fit into an IDS's picture of the world more easily. > > That's it. Well, they have extended the 'scrub' facility to do other > things that could just as easily be done elsewhere but it is definately > NOT an IPS (and anyone selling it as such is a fraud.) Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an IPS. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). If you want to continue this discussion off list in a civil manner I'd be glad to, otherwise I'm done. > Darren -Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?028101c3f792$eaf115a0$1400000a>