From: Chris Brenton (cbrenton@chrisbrenton.org)
Date: Thu Dec 22 2005 - 08:51:26 EST
On Wed, 2005-12-21 at 08:24 -0500, Dave Bush wrote:
>
> I'm going with "Well I read..." for my info on this, but the article
> by Ed Skoudis and Mike Poor
I'm certainly not Mike or Ed, but I do sometimes pay them on TV. ;-)
> From their reviews I'd be probably most interested in either the Top
> Laywer box or the ISS box. Ths ISS box uses closed signatures, which
> I'm not thrilled about,
The big problem with a closed signature language is zero tweaking. False
positives are a fact of life and when you are dealing with a closed
signature language your choices are either "on" or "off" and that's it.
You can't tweak the sig to weed out false positives while still having a
functional signature. You can't even tweak the sig to catch possible
variations of the attack. In short, you are stuck with what the vendor
ships you. If your network matches their interpretation of "the average
network", life is good. If not, your hosed. Mike goes into even more
detail about this whenever he lectures.
> but they found it to have "stellar detection."
Remember that an IPS is nothing more than a stateful inspection firewall
that also tries to match malicious patterns in the payload. With this in
mind, you are talking about being limited to detecting known attacks
only. So if your IPS vendor can get you a sig (or you can write one
yourself) faster than you can patch the vulnerability, there is value
add to having an IPS. If not, well, you are doing little more than
detecting and weeding out attacks that you are not vulnerable to
anyways. IMHO there are cheaper ways of getting this warm fuzzy and
feeling.
There is an exception to this, which is another approach that is taken
by some IPS vendors. This involves checking for indications of a
successful attack. For example a packet headed out to the Internet that
contains the string "C:\" could be considered suspicious and a possible
indication that an attack has breached the perimeter. Nice thing about
weeding these out is you have the potential to block 0-day because you
are detecting on the actual problem rather than just a symptom.
Of course this brings us back to the closed signature language thing.
What if the above simple pattern generates false positives? You now
either live with reduced functionality or need to disable a sig that
could be extremely useful. If you have access to the sigs, you simply
tweak to avoid the false positive condition and life is cool.
Please note that I'm implying that IPS is useless. I'm simply saying its
not magick to cure all that ails you and that its a security tool like
many others with strengths and weaknesses. Everyone's network is
different so what works in one environment may bomb in another. It
really depends on traffic patterns, what other security measures are in
play, and a host of other variables.
HTH & happy holidays,
Chris
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:17 EDT