Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: IPS vs. Firewalls (why vs. ?)
From: Gabriele Buratti <gabriele.buratti () netasq com>
Date: Wed, 08 Feb 2006 04:20:47 +0100

Ben Nagy wrote:
- when used as reverse proxies for incoming connections you
always have
that listening ports on the proxy-firewall. Listening ports means
attackable ports.

Absolute FUD! Any time you're parsing network traffic you're prone to
attack, whether or not the port is open. The only attacks you're mitigating
by 'no open ports' are pure attacks against the TCP/IP stack of the network
appliance. The Snort BO preprocessor and the million remote ethereal attacks
should be clear warnings here.

Ouch ... probably victim of my own marketing here :o

Well sure, you can use the term, but will it deliver? Let's take the WMF
0day as an example. I will bet $$$ that no IPS stopped it on release day,
unless they stopped all WMF. In fact, I'd be prepared to bet $$$ that no IPS
stops it _now_ if you don't count stopping one or two versions of existing,
published POC. There are about a million ways I can get a malicious WMF to
an unpatched host. How about inside an SSL web page as an IFRAME? Chunked?
MTU-aligned? What about the metasploit randomised Escape() pad version?

Here's HDM (one of the metasploit guys, in case anyone lives under a rock):

"there are so many ways to encode a
valid WMF graphic that any signature-based IDS is going to fail at least
one case. For example, there three different optional headers that can be
placed before the real WMF header. You can insert megabytes of filler
data between the vulnerable record types and even with a by-the-spec WMF
preprocessor, you can abuse bugs in the GDI api to specify invalid record
types that are still accepted."

0day is magic, but not always magic. It works in certain cases, and today looks like one of the best things one can do. Probably one day we'll laugh at 0day word like today we're laughing at the old myth of the IDS being the best security solution.


Attachment: gabriele.buratti.vcf

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]