Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Definition of Zero Day Protection

from [Teicher, Mark (Mark)] Network Security [Permanent Link]
Subject: RE: Definition of Zero Day Protection
Date: Mon, 9 Aug 2004 14:50:49 -0600 
Brian,

I under the definition of zero day exploit, and zero day
vulnerabilities, I was looking for the definition of the Zero Day
Protection concept, since it very confusing for us newbies to Intrusion
Detection and Intrusion Prevention.

/mark

-----Original Message-----
From: Brian Smith [mailto:bsmith@tippingpoint.com] 
Sent: Monday, August 09, 2004 02:45 PM
To: Carey, Steve T GARRISON; Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection

It's important to distinguish between zero day exploits and zero day
vulnerabilities.  Zero day exploits exploit a known vulnerability with a
new exploit (like Code Red vs. Code Red II).
Zero day vulnerabilities are flaws in software that no one knows about
except the attacker.

Several products (TippingPoint, MacAfee, ISS, to name a few) can detect
and block zero day exploits by detecting network traffic that tries to
exploit the underlying vulnerability.  These all work by decoding the
application request and checking that the network traffic is attempting
to exploit the underlying vulnerability.

Zero day vulnerabilities are another animal entirely.  These are
detected (if at all) by noticing statistical or behavioral anomalies.
For example, they might detect a sudden surge in UDP traffic destined
for a particular port, or notice that two machines are starting to
communicate on a port that they've never used before.  There's no known
way to surgically block just the bad traffic in that case.  As Steve
says, blocking traffic detected by behavioral/statistical anomalies will
sometimes block new applications.

Several products offer mitigation strategies to limit the new traffic's
ability to impact existing applications (e.g., they might rate limit the
UDP traffic to 1 Mbps so it doesn't swamp you network), but I don't know
of any product that can block zero day vulnerabilities with blocking
legitimate traffic.  If a vendor thinks their product can block zero day
vulnerabilities without blocking legitimate traffic, please post the
details of how your product works.  I'm sure everyone here would love to
get some hard facts on this type of technology.

        Brian Smith


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Definition of Zero Day Protection, Brian Smith
Next by Date:  Re: Definition of Zero Day Protection, Frank Knobbe
Previous by Thread:  RE: Definition of Zero Day Protection, Brian Smith
Next by Thread:  RE: Definition of Zero Day Protection, Brian Smith
Indexes:  [Date] [Thread] [Top] [All Lists]