From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 01:31:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63CB316A4CE for ; Fri, 20 Feb 2004 01:31:11 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D025943D2F for ; Fri, 20 Feb 2004 01:31:10 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i1K9V9bF010994; Fri, 20 Feb 2004 20:31:09 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i1K9V9HV010992; Fri, 20 Feb 2004 20:31:09 +1100 (EST) From: Darren Reed Message-Id: <200402200931.i1K9V9HV010992@caligula.anu.edu.au> To: listuser@seifried.org Date: Fri, 20 Feb 2004 20:31:09 +1100 (Australia/ACT) In-Reply-To: <028101c3f792$eaf115a0$1400000a@bigdog> from "Kurt Seifried" at Feb 20, 2004 02:21:27 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 09:31:12 -0000 In some mail from Kurt Seifried, sie said: > > > "scrub" won't do a damn thing about making data "less dangerous". > > And it's not an IPS either (it won't do anything about preventing > > someone from using an IIS/apache exploit in your web farm.) > > No but it will prevent some protocol level exploits/etc that can make > applications and systems puke their guts up (yes, some TCP-IP stacks suck > that much). Stopping a denial of service attack (intentional or otherwise) > sounds like a typical IPS related function, not an IDS function. In any > event this sort of prooves how pointless the IDS/IPS argument is (everyone > is quite happy to disagree on what they are/do). You don't need normalising to achieve that. Why would you want to normalise bad packets into good ones so you can let them in rather than drop them ? > Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an > IPS. [...from your earlier text:...] > > > far as the symantic arguments of firewalls/IDS/IPS/etc > > > (technically I'd say scrub is more an IPS style feature > > > then IDS since it actively manipulates [...] So you're not selling it as an IPS there ? Darren