mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Gabriele Buratti <gabriele.buratti () netasq com>
Date: Wed, 08 Feb 2006 04:20:47 +0100
Ben Nagy wrote:
- when used as reverse proxies for incoming connections you
that listening ports on the proxy-firewall. Listening ports means
Absolute FUD! Any time you're parsing network traffic you're prone to
attack, whether or not the port is open. The only attacks you're mitigating
by 'no open ports' are pure attacks against the TCP/IP stack of the network
appliance. The Snort BO preprocessor and the million remote ethereal attacks
should be clear warnings here.
Ouch ... probably victim of my own marketing here :o
Well sure, you can use the term, but will it deliver? Let's take the WMF
0day as an example. I will bet $$$ that no IPS stopped it on release day,
unless they stopped all WMF. In fact, I'd be prepared to bet $$$ that no IPS
stops it _now_ if you don't count stopping one or two versions of existing,
published POC. There are about a million ways I can get a malicious WMF to
an unpatched host. How about inside an SSL web page as an IFRAME? Chunked?
MTU-aligned? What about the metasploit randomised Escape() pad version?
Here's HDM (one of the metasploit guys, in case anyone lives under a rock):
"there are so many ways to encode a
valid WMF graphic that any signature-based IDS is going to fail at least
one case. For example, there three different optional headers that can be
placed before the real WMF header. You can insert megabytes of filler
data between the vulnerable record types and even with a by-the-spec WMF
preprocessor, you can abuse bugs in the GDI api to specify invalid record
types that are still accepted."
0day is magic, but not always magic. It works in certain cases, and
today looks like one of the best things one can do. Probably one day
we'll laugh at 0day word like today we're laughing at the old myth of
the IDS being the best security solution.
Re: IPS vs. Firewalls Mark Teicher (Feb 03)