traffic normalizer for ipfw?

[Kurt Seifried]

> > It's not like you HAVE to use it. It's an option, you can use it, or
not. As
> > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd
say
> > scrub is more an IPS style feature then IDS since it actively
manipulates
> > the data to make it less "dangerous") please let's not go there, it's
> > pointless.
>
> Cripes, and you claim to be a publisher of security related information?
>
> Well, I suppose if you are then you're press and we all know how good
> the press are at getting technical things "right".

If you really must flame me can you do it offlist to spare everyone the
tedium? BTW since when am I "the press"? This is news to me.

> "scrub" won't do a damn thing about making data "less dangerous".
> And it's not an IPS either (it won't do anything about preventing
> someone from using an IIS/apache exploit in your web farm.)

No but it will prevent some protocol level exploits/etc that can make
applications and systems puke their guts up (yes, some TCP-IP stacks suck
that much). Stopping a denial of service attack (intentional or otherwise)
sounds like a typical IPS related function, not an IDS function. In any
event this sort of prooves how pointless the IDS/IPS argument is (everyone
is quite happy to disagree on what they are/do).

> All it does is try and clean off rough edges of packet header fields
> so that they fit into an IDS's picture of the world more easily.
>
> That's it.  Well, they have extended the 'scrub' facility to do other
> things that could just as easily be done elsewhere but it is definately
> NOT an IPS (and anyone selling it as such is a fraud.)

Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an
IPS. In any event this sort of prooves how pointless the IDS/IPS argument is
(everyone is quite happy to disagree on what they are/do).

If you want to continue this discussion off list in a civil manner I'd be
glad to, otherwise I'm done.

> Darren

-Kurt