[Snort-users] ask about hack program to go through the firewall

Matt Kettler mkettler at ...4108...
Thu Sep 19 12:52:07 EDT 2002


In theory, nobody needs an IDS if their firewall is strong enough to 
prevent all attacks... Of course, the only firewall strong enough for that 
is a cut cable.

On the same note, nobody would need an alarm system if their office 
building was tough enough to prevent all breakin attempts, but that 
building would be a solid concrete block with no doors or windows.


In practice most firewalls block "unreasonable access" to particular 
machines or ports, but they don't often block "unreasonable data" contained 
in a reasonable access.

Sure some firewalls do examine application layer data, but not all do, and 
even the ones that do only examine it in a limited fashion. Will your 
firewall block an invalidly formatted HTTP GET request to a valid 
webserver? Will it block an invalidly large response? Does it cover all 
data formats for all DNS packets? What about SMTP, IM, POP, and all of the 
myriad of other protocols out there? Will it notice if someone connects to 
your DNS server via TCP and sends a large sequence of NOP's (generaly found 
in a stack smash)?


At 05:30 AM 9/19/2002 -0700, ardi wrote:
>My point here is do we need an IDS if the firewall is
>strong enough to block the attack..??





More information about the Snort-users mailing list