Darren writes:
> > Well then IDS software needs to be smarter. IMHO it makes little sense > for an IDS to be *behind* a firewall as it's going to miss out on lots > of useful data points. Maybe this means telling your IDS software how > big your network is so it can make intelligent decisions about how far > a packet will go based on its TTL. actually it depends. Behind the firewall and you can set the red flags to be very sensative. Packets that should -never- be there send up big red flags, and page people because the FW failed. In front of the FW give you more info to be sure, but also a lot of noise that your FW would block anyway. Depends on if you want to heare the door rattlers (millions of them) or not. > IP Fragmentation is rare across the WAN, maybe, but anyone who's used > NFSv2 knows how common it is on the LAN. actually with load ballancing gear frags are more and more prevelent even on the WAN. > > There are good reasons NOT to do reassembly and I imagine those that do > not do so because they understand this better than the desire to simply > add yet another feature which some consider "cool". true, except if you can't guarentee that you will see the whole packet through the SAME interface. We tripped over this a few times with SunScreen doing stateful inspection (a good thing most of the time). Anywhere from 1/2 to more of the traffic was going through a different router and the Firewall was sitting there holding 1/2 of the packet in a memory buffer that would never get freed. Eventually you get enough of these that the network slows down or the FW runs out of memory. HPux was nortorius for opening a buffer for frags, and never freeing the buffer. The easy way to bring HP's to their knees :-) Brad Powell : HOME: [EMAIL PROTECTED] WORK: [EMAIL PROTECTED] ------------------------------------------------------------------------- The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc.
