I'm curious about the market status quo and trends in the area of how
network IDS/IPS products are dealing with layer 3/4 evasion techniques
(a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl
tricks, etc.). The Handley/Paxson/Kreibich paper from Usenix01 lists
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis
From what I've read, Snort is going route #2, with the Sourcefire RNA
system doing the profiling.
- Is there any public information regarding which approach (if any)
other commercial systems are using?
- Does Snort's decision indicate any sort of consensus that #2 is the
best approach, or would that be considered controversial? (Clearly #3
isn't practical as a general technique, but the Handley paper seems to
make a good case for #1.)
- Do you all feel that existing approaches (like Snort's, or perhaps
some commercial implementation of #1) are adequate, or is there a need
for a more robust solution?
Basically we've had some ideas in this space and are trying to figure
out whether they're worth pursuing... guess I should add "If so, how
much would you pay for it?" to the last question :-).
Thanks!
Steve
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
