OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blue Boar (BlueBoar_at_thievco.com)
Date: Wed Oct 23 2002 - 16:29:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anton Aylward wrote:
    > On Wed, 2002-10-23 at 16:34, Blue Boar wrote:
    >>The specifics aren't important. The number of way to implement some
    >>attacks, and the number of ways to bypass an IDS are also infinite.
    > I doubt that, but even if it is so, and IDS is limited to the network
    > whereas a convert channel could - as I illustrated - be anything. It
    > cold be whether I leave my blinds open at night. in this case, the set
    > of covert channels is transfinite.

    If you want to take covert channels outside of the realm of computer
    networks, there's no reason the concept of an IDS couldn't as well. The
    airport x-ray IDS is perfectly capable of detecting the midget-in-luggage
    attack.

    >
    > Let me make that clear. An IDS is working with a finite number of
    > channels on a bound and finite media, with a bound set of protocols.
    > The messages may be infinite in detail but are enumerable (and actually
    > computable) by class. A covert channel may be one of an infinite number
    > of possible mediums, not just the network, with an indeterminate
    > protocol.

    But who cares? The question asked was whether it would be possible to make
    a covert channel detector product. My answer is that you can do as much
    with a covert channel detector as with an IDS. So your assertion that an
    IDS does less doesn't much affect my statement.

    >>You
    >>can make a covert channel detector that is as much of a "success" as an IDS
    >>product. Just because it's always possible to bypass an IDS, or virus
    >>scanner, etc.. does not mean the product has no value.
    > Not so.
    > Bypassing an IDS is one of two ways:
    > 1) it doesn't know the pattern - limit to the IDS
    > 2) you didn't set it up right, which may be architectural.

    Those aren't the only ways to bypass an IDS. But again, what does that
    have to do with an IDS having value?

    > What you are asking for in a CoChDS is an "intelligence".

    No, what I'm saying is that you can make a "product" that checks for any
    number of known network-based covert channels, and you'll have something
    that is of some utility.

                                            BB