Re: Open source firewalls

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: RVK <rvk@prodmail.net>
To: Helge Hafting <helge.hafting@aitel.hist.no>
Cc: Vinay Venkataraghavan <raghavanvinay@yahoo.com>,
	linux-crypto@nl.linux.org, linux-kernel@vger.kernel.org
Subject: Re: Open source firewalls
Date: Thu, 14 Jul 2005 15:54:10 +0530	[thread overview]
Message-ID: <42D63D4A.2050607@prodmail.net> (raw)
In-Reply-To: <42D63AD0.6060609@aitel.hist.no>

I don't think buffer overflow has anything to do with transparent proxy. 
Transparent proxying is just doing some protocol filtering. Still the 
proxy code may have some buffer overflows. The best way is first to try 
avoiding any buffer overflows and take programming precautions. Other 
way is to chroot the services, if running it on a firewall. There are 
various mechanisms which can be used like bounding the memory region it 
self. Stack Randomisation and Canary based approaches can also avoid any 
buffer overflow attacks.
IDS runs on L7, best example is snort. Its not possible for IDS to 
detect these attacks accurately.

rvk

Helge Hafting wrote:

> Vinay Venkataraghavan wrote:
>
>> I know how to implement buffer overflow attacks. But
>> how would an intrusion detection system detect a
>> buffer overflow attack.
>>
> Buffer overflow attacks vary, but have one thing in common.  The
> overflow string is much longer than what's usual for the app/protocol in
> question.  It may also contain illegal characters, but be careful -
> non-english users use plenty of valid non-ascii characters in filenames,
> passwords and so on.
>
> The way to do this is to implement a transparent proxy module for every
> protocol you want to do overflow prevention for.  Collect the strings
> transmitted, pass them on after validating them.  Or reset the
> connection when one gets "too long".  For example, you may want to
> limit POP usernames to whatever the maximum username length is
> on your system.  But make such things configurable, others may
> want longer usernames than you.
>
>> My question is at the layer
>> that the intrusion detection system operates, how will
>> it know that a particular string for exmaple is liable
>> to overflow a vulnerable buffer.
>>
>>
>>
> It can't know of course, but it can suspect that 1000-character
> usernames, passwords or filenames is foul play and reset the
> connection.  Or 10k URL's . . .
>
> Helge Hafting
>
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> .
>

next prev parent reply	other threads:[~2005-07-14 10:26 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-07-13 16:34 Open source firewalls Vinay Venkataraghavan
2005-07-13 16:47 ` Alejandro Bonilla
2005-07-13 17:00   ` Maciej Soltysiak
2005-07-13 17:04 ` Nigel Rantor
2005-07-14 10:13 ` Helge Hafting
2005-07-14 10:24   ` RVK [this message]
2005-07-14 12:20     ` Helge Hafting
2005-07-14 12:20       ` RVK
2005-07-14 13:06         ` Helge Hafting
2005-07-14 14:04           ` RVK
2005-07-14 22:53         ` Buffer Over-runs, was " Brian O'Mahoney
2005-07-15  6:41           ` RVK
2005-07-15  6:51             ` Arjan van de Ven
2005-07-15  8:26               ` RVK
2005-07-15  8:46                 ` Arjan van de Ven
2005-07-15  9:28                   ` RVK
2005-07-15  9:29                   ` RVK
2005-07-15 11:17                   ` RVK
2005-07-15 11:24                     ` Arjan van de Ven

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42D63D4A.2050607@prodmail.net \
    --to=rvk@prodmail.net \
    --cc=helge.hafting@aitel.hist.no \
    --cc=linux-crypto@nl.linux.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=raghavanvinay@yahoo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox