Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Checkpoint SmartDefense

from [charles . fasching] Network Security [Permanent Link]
Subject: RE: Checkpoint SmartDefense
Date: Fri, 20 May 2005 14:40:49 -0500 
Another option that can be used instead of the default SQL injection 
protection is the "worm catcher" - you can write pretty good regular 
expressions here that are much more granular than the SQL Injection 
checks.  Just keep in mind - I would never *ever* enable the worm 
catcher for "all traffic" - I would apply it to defined servers - 
otherwise - in large environments that serve a lot of HTTP traffic, it 
can and will bring your firewall to it's knees.


Chuck "Spence" Fasching 
Senior Systems Engineer 
952.767.5111 - Office 
612.616.5080 - Mobile 
Milestone Systems 
charles.fasching@milestonesystems.com 



-----Original Message-----
From: Ofer.Shezaf [mailto:Ofer.Shezaf@breach.com] 
Sent: Thursday, May 19, 2005 6:13 PM
To: ferg; focus-ids
Subject: RE: Checkpoint SmartDefense




From: Fergus Brooks [mailto:fergwa@gmail.com]
Sent: Wednesday, May 18, 2005 2:10 PM


....


I am getting some mixed messages regarding this feature.

1) Does it detect zero day attacks in real time and 
recommend/implement remediation


As my expertise is web applications security, I can comment only on the 
web (port 80/443) functionality of SmartDefence (as well as 
WebIntelligence, its younger sibling). SmartDefence may provide better 
value for other protocols.

Zero day attack detection is a tricky business. Behind the marketing 
brochures, SmartDefence and WebInteligence are mostly misuse based (i.e. 
signature based) and therefore are not well adjusted to zero day 
protection.

I personally feel that the signatures are also on the weak side for 
attacks such as SQL injection or XSS, especially since tighter security 
(that is more signatures) is usually not practical, as discussed below.



2) How intelligent is it?



The one feature that seems to be more intelligent is detecting of binary 
code in input. It also seems like the one that has potential to detect 
zero day attacks for buffer overflows. I don't have personal experience 
with this one (always off). Any input is welcomed.


3) Is it difficult to configure & maintain?



It is actually too easy to maintain. It has very "buzzword" centric 
configuration (block "XSS", block "SQL injection" - no finer 
configuration). 

As configuration being is on the rough side I think that in real world 
situation many of the protections have to be either off or on low 
(options are usually: off, low, medium and high). For example, medium 
security for SQL injection includes detecting words such as select or 
join - both impractical in real world.

Lack of fine grained configuration is not limited to signatures, it is 
also true for applications - the security level for each category is 
determined on a site level, so if you have an free text field that is 
prone to include the word "select" you cannot exclude it but rather have 
to lower security for the entire site. 


4) Is this feature different on the Interspect and standard FW-1 boxes


Any comments and real world examples greatly appreciated!

Thanks & regards.



Bottom line - if web security is your concern this is hardly the way to 
protect your site. It may be better for other protocols. I would go for 
mod_security, which provides much better configurability for a much 
lower price, or a full blown application firewall which provides much 
more security.

~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers@breach.com
http://www.breach.com

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT. Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Packet/Protocol Anomaly Detection with IDS, Joachim Schipper
Next by Date:  Re: IDS\IPS that can handle one Gig, Byron L. Sonne
Previous by Thread:  RE: Checkpoint SmartDefense, THolman
Next by Thread:  RE: Checkpoint SmartDefense, THolman
Indexes:  [Date] [Thread] [Top] [All Lists]