RE: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)

From: Ben Nagy (
Date: 12/06/04

  • Next message: Rogan Dawes: "Re: [fw-wiz] Defense in Depth to the Desktop"
    To: "'Devdas Bhagat'" <>, <>
    Date: Mon, 6 Dec 2004 10:09:56 +0100

    Hi Devdas!

    > -----Original Message-----
    > > A firewall, for example, does a generally good job of
    > allowing or declining
    > > traffic at layer 3/4, but a generally crappy job at looking
    > at layer 7.[...]
    > >
    > A packet filter is one component of, but not a complete firewall
    > solution by any means. There are these things termed as
    > proxies ;), and
    > then you have host based security as well to add to the mix.

    I'm well aware of proxies, worked with them almost exclusively for a number
    of years, and I am _explicitly_ including them in "things that do a crappy
    job of looking at layer 7". The ones that are fast enough to not get thrown
    out do almost nothing beyond actually letting the protocol work. The ones
    that attempt to provide any real security need to be too generic to have any
    real effect, and/or are too slow to use. I blame the protocols more than the
    proxies, but that's still how I see it.

    I'm all for building architectures which use proxies where possible, I just
    wouldn't realistically expect them to save anybody's bacon from many current

    > > Spyware, adware and all those tasty browser malwares work
    > by exploiting the
    > > security identity of IE, making it impossible for an AV to
    > tell that the
    > > functions are not what was intended.
    > And I would say that preventing spyware and spamware from operating is
    > not in the purview of the antivirus software.

    That was, in fact, exactly what I said. :)

    > Wouldn't it be far easier for the A/V vendors to just ship an
    > alternative browser, and recommend its installation and usage
    > instead of
    > the malware spreading vectors?

    No. That would be the commercial equivalent of stuffing hundreds of
    marshmellows up their nostrils and hoping to burp cotton candy.

    > > [Paul]
    > > > The market won't accept better mechanisms, just like better
    > > > firewalls are disdained in favor of IDS, which is also a reactive
    > > > technology.
    > Actually, IMHO, what the market isn't accepting is a
    > separation between
    > the active and passive components of a defense system.
    > What the market desires is a feature in the passive components which
    > allows them to react to malicious events going past the active
    > components and prevent the events from occuring, in essence converting
    > the passive components to active ones.

    I'm not sure that's the case. However, a whole slew of vendors _hope_ it is.
    I call this the "firewIDS", the unholy crossbreed of a firewall and IDS.
    It's a very popular concept these days, especially amongst IDS vendors who
    recently suffered the "emperor's new clothes" effect, and are desperately
    looking for ways to re-use that intellectual property.

    There are two massive flaws with that approach, whether you are talking
    about implementing it at the host or network level.

    1. Nobody seemed to be able to make an IDS that was both dumb enough to be
    commercially successful and accurate enough to be useful. I have yet to find
    a _single_ IDS expert that would be comfortable letting their IDS make
    firewall rule decisions. This does not fill me with confidence for software
    or appliances that are essentially doing exactly that.

    2. It's fundamentally reactive. If you have no signature, you have no extra
    protection and have to wait until the vendor releases a signature (at which
    time you remain safe for about an hour until the variants start popping up).
    IMO all the guys doing "behaviour blocking", "deep inspection" blah blah
    blah are onto a much better bet. Signatures are basically sucky.

    There are other flaws too, but I risk setting myself off on a rant.

    > An IDS sitting behind a restrictive proxy firewall watching out for
    > malicious events and restricting those from propagating is a
    > good idea
    > (eg, an antivirus sitting on a filtering system behind a gateway MTA
    > stopping viruses which can bypass the simple checks offered
    > by a MTA --
    > zip files for example).

    To my mind, the use of AV mail relays is not even remotely like
    IDS-Firewalls in scope, technology or implication.

    > > vendors think H-IPS (Host Intrusion Prevention
    > > Systems) is more exciting - presumably by virtue of being
    > tantalisingly
    > > vague.
    > Hardening every host is not a bad idea. However, this needs to be
    > designed into the system and not patched in from above as a bandaid.
    > MAC are a good idea, but in those cases where they are too complex,
    > simplistic ACLs can be used instead. These MUST be built into the OS
    > kernel and not used as bandages on top of a broken system.
    > As MJR argued in the above mentioned thread, trying to fix a broken
    > system is a waste of time and not worth the effort.

    I see the lines are drawn! ;)

    Well, as _I_ said in that thread, it is possible to do a pretty damn good
    job of bolt-on protection for both Windows and Linux (the systems that need
    it the most), without designing it into the kernel in the first place.
    "Dumb" systems like stackguard, linux / windows kernel modules that do some
    simple function hooking, detecting system calls made from writeable memory
    and the like are NOT rocket science.

    These systems provide concrete benefits, and have the advantage of being
    available right now. Simplistic systems, many even freeware, can stop about
    99% of in-the-wild exploits cold. Personally, I call that "worth the

    While wishing for mainstream OS'es with decent memory protection and
    security designed in from the kernel, please add World Peace to your list,
    and possibly a pony.

    > I just had a discussion today with someone who makes money
    > cleaning the
    > computers of home users from viruses/spamware/crapware. [...]
    > his arguments boiled down to

    [lambda users are technology challenged]

    > Is any vendor offering a usable fix for this type of market
    > (small but regular payments from a large volume of customers)?

    Yes. Not us, but there are loads of "AV + PFW + Anticrapware" products which
    are quite adequate for home users. Hell, the Windows ICF, "High Security"
    browser setting and a copy of Spybot is adequate for home users. It's just
    that nobody does anything until the fifth time they have had their PCs
    cleaned. In fact, probably most of them wouldn't even do _that_ if the thing
    didn't start running like a dog.

    OK, new thread name, fightin' words, let's go... ;)



    firewall-wizards mailing list

  • Next message: Rogan Dawes: "Re: [fw-wiz] Defense in Depth to the Desktop"

    Relevant Pages

    • Re: Is IDS/IPS worthless?
      ... > firewall instead of in front of it should BOTH ... > fill in the gap left by the false sense of security firewalls give (a ... > network services, and it is on the traffic related to these services ... IDS technology and I certainly believe in the usefullness of IDS. ...
    • Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)
      ... This one looks like it should burgeon into another good set of rants. ... >> then you have host based security as well to add to the mix. ... Nobody seemed to be able to make an IDS that was both dumb enough to be ... > firewall rule decisions. ...
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    • RE: Thinking about Security rules...
      ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    • Re: [fw-wiz] Proverbial appliance vs software based firewall
      ... represent more code than the entire V7 UNIX kernel. ... that when security is applied to a non-monolithic kernel all ... I even saw one hardware device that was running a lightened-up ... >use a PC based firewall for this purpose without using many firewalls? ...