Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to choose an IDS/FW MSS provider

from [Jason] Network Security [Permanent Link]
Subject: Re: How to choose an IDS/FW MSS provider
Date: Wed, 16 Mar 2005 18:08:12 -0500 
inline.

[...]


Just cause your in L2 mode doesn't make you immune to attack
(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump). The box still
has to process packets just like any other L3 app. I'm not sure how bridge
mode makes a box "invisible". Besides, the device still needs an IP on the
local network for management. Sounds like security through obscurity to me.



Invisible in the sense that the interfaces that pass traffic do not have IP addresses. And yes, the device must have an IP address on the management side, but that's generally deeper in the network. I'm not sure that's obscurity... that's simply smart management. Many customers have completely out of band management networks. And yes, it's possible to compromise systems that are simply sniffing... but it's much harder. I know of only one product that's been successfully remotely exploited in this manner, and the only reason that happened was because it was an opensource product that allows hackers to read the source code and look for ways to compromise it. 

Hmm, apparently your FUD thrower needs an update :-)

http://www.google.com/search?q=witty+iss

Last time I checked ISS was closed source.

Then there is the Enterasys code that is apparently available for sale. ( http://tinyurl.com/3s84g ) IIRC the NFR sources were floating around a few years back too. The moral of the story is that sources are easy to come across if you want them and being closed only offers an obscurity advantage.

http://www.caida.org/analysis/security/witty/

While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:

* Witty was the first widely propagated Internet worm to carry a destructive payload.
* Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
* Witty represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.
* Witty spread through a host population in which every compromised host was doing something proactive to secure their computers and networks.
* Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.



With the obvious success of IPS technologies at the perimeter, I find it
hard to believe that IPS and FW technologies will remain disparate
technologies for more than a few more years. The IPS vendors need to do one
of two things:

1. Find a good firewall vendor to acquire them or
2. Build a full featured firewall from scratch.



IPS technologies are actually just as (if not more) successful internally than on the perimeter. I would argue that they are not disparate technologies even today. NFR's appliances are essentially FreeBSD based, and so we've integrated FreeBSD's pf into the product which is a fully functional firewall. It's providing the pretty GUI overlay that CheckPoint and other traditional firewall vendors have had for years that is the hard part. Fortunately, we (the collective IPS vendor market as a whole) get to learn from their mistakes and successes.


The IPS cannot be _in_ the networks to be protected and must remain at the borders. This means that you can have systems compromised within the internal borders and still end up with a big mess. An IPS is a useful tool for mitigating nuisance issues and rapidly moving threats only if it can respond before those threats occur. In the case of witty it was the threat. What if those systems had been inline?

Defense in depth is the key element and if you combine the FW and the Inline device or not you still have to monitor the networks to really know what is happening. How do you effectively prevent the exploitation of the Microsoft GDI+ vulnerabilities by dropping packets on a gigabit core? On a 100Mbs segment?

I will argue that you cannot.


Disclaimers:
- I have never seen any of the source code mentioned.
- I do not know that those sources are actually available.
- I work for a vendor.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Next by Date:  RE: Snortgoing commercial, Harper, Patrick
Previous by Thread:  RE: How to choose an IDS/FW MSS provider, Stuart Staniford
Next by Thread:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Indexes:  [Date] [Thread] [Top] [All Lists]