[Snort-users] ask about hack program to go through the firewall
mkettler at ...4108...
Thu Sep 19 12:52:07 EDT 2002
In theory, nobody needs an IDS if their firewall is strong enough to
prevent all attacks... Of course, the only firewall strong enough for that
is a cut cable.
On the same note, nobody would need an alarm system if their office
building was tough enough to prevent all breakin attempts, but that
building would be a solid concrete block with no doors or windows.
In practice most firewalls block "unreasonable access" to particular
machines or ports, but they don't often block "unreasonable data" contained
in a reasonable access.
Sure some firewalls do examine application layer data, but not all do, and
even the ones that do only examine it in a limited fashion. Will your
firewall block an invalidly formatted HTTP GET request to a valid
webserver? Will it block an invalidly large response? Does it cover all
data formats for all DNS packets? What about SMTP, IM, POP, and all of the
myriad of other protocols out there? Will it notice if someone connects to
your DNS server via TCP and sends a large sequence of NOP's (generaly found
in a stack smash)?
At 05:30 AM 9/19/2002 -0700, ardi wrote:
>My point here is do we need an IDS if the firewall is
>strong enough to block the attack..??
More information about the Snort-users