Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)

From: Devdas Bhagat (
Date: 12/06/04

  • Next message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop"
    Date: Mon, 6 Dec 2004 22:07:51 +0530

    On 06/12/04 10:09 +0100, Ben Nagy wrote:
    > Hi Devdas!
    This one looks like it should burgeon into another good set of rants. We
    need to publish a book of rants ;).

    > > -----Original Message-----
    > [me]
    > > > A firewall, for example, does a generally good job of
    > > allowing or declining
    > > > traffic at layer 3/4, but a generally crappy job at looking
    > > at layer 7.[...]
    > > >
    > > A packet filter is one component of, but not a complete firewall
    > > solution by any means. There are these things termed as
    > > proxies ;), and
    > > then you have host based security as well to add to the mix.
    > I'm well aware of proxies, worked with them almost exclusively for a number
    > of years, and I am _explicitly_ including them in "things that do a crappy
    > job of looking at layer 7". The ones that are fast enough to not get thrown
    > out do almost nothing beyond actually letting the protocol work. The ones

    Then users need to accept a small bit of slowing down as the cost of

    > that attempt to provide any real security need to be too generic to have any
    > real effect, and/or are too slow to use. I blame the protocols more than the
    > proxies, but that's still how I see it.

    Some protocols are easier to proxy than others.

    > I'm all for building architectures which use proxies where possible, I just
    > wouldn't realistically expect them to save anybody's bacon from many current
    > malwares.

    Many, no. Some, yes. I would actually prefer to filter at layer 8, with
    a suitable attitude readjustment tool.

    > [...]
    > > > Spyware, adware and all those tasty browser malwares work
    > > by exploiting the
    > > > security identity of IE, making it impossible for an AV to
    > > tell that the
    > > > functions are not what was intended.
    > >
    > > And I would say that preventing spyware and spamware from operating is
    > > not in the purview of the antivirus software.
    > That was, in fact, exactly what I said. :)

    We don't disagree on everything. Only on the best way to slaughter the

    > [...]
    > > Wouldn't it be far easier for the A/V vendors to just ship an
    > > alternative browser, and recommend its installation and usage
    > > instead of
    > > the malware spreading vectors?
    > No. That would be the commercial equivalent of stuffing hundreds of
    > marshmellows up their nostrils and hoping to burp cotton candy.

    Not really. An alternative browser would work as a better solution.
    Given that most of the exploits are IE specific, using Firefox, or Opera
    would be a much nicer solution.

    > > > [Paul]
    > > > > The market won't accept better mechanisms, just like better
    > > > > firewalls are disdained in favor of IDS, which is also a reactive
    > > > > technology.
    > [...]
    > > Actually, IMHO, what the market isn't accepting is a
    > > separation between
    > > the active and passive components of a defense system.
    > [...]
    > > What the market desires is a feature in the passive components which
    > > allows them to react to malicious events going past the active
    > > components and prevent the events from occuring, in essence converting
    > > the passive components to active ones.
    > I'm not sure that's the case. However, a whole slew of vendors _hope_ it is.

    If management is paying for it, then that is what the market wants.

    > I call this the "firewIDS", the unholy crossbreed of a firewall and IDS.
    > It's a very popular concept these days, especially amongst IDS vendors who
    > recently suffered the "emperor's new clothes" effect, and are desperately
    > looking for ways to re-use that intellectual property.

    I think of it as proxies done wrong. Instead of trying to allow known
    good traffic through, they are attempting to filter out known bad
    traffic. That this approach does not work very well is a well known
    factoid, but this appears to be ignored. Those who do not learn from
    history are destined to repeat it and all that...
    > There are two massive flaws with that approach, whether you are talking
    > about implementing it at the host or network level.
    > 1. Nobody seemed to be able to make an IDS that was both dumb enough to be
    > commercially successful and accurate enough to be useful. I have yet to find
    > a _single_ IDS expert that would be comfortable letting their IDS make
    > firewall rule decisions. This does not fill me with confidence for software
    > or appliances that are essentially doing exactly that.
    Ok, analogy time. A firewall is like a locked door. Only people
    (packets) with the appropriate keys can enter. An IDS is like a video
    camera watching the door. It tries to alert a human being if a possibly
    malicious intruder enters the building. What the IPS vendors are trying
    to do is make the IDS behave like a security guard, who will go out and
    stop the malicious person from entering the building.

    They also claim that their solution removes the need for locking down
    the door, and that any person should be allowed to enter since bad
    people can easily be kept out.

    This sounds nice for a shopping mall, but very bad for a warehouse.
    It is upto the management to decide what level of security their data
    should get, the same as in the windows of a shopping mall, or the stuff
    in a warehouse.

    > 2. It's fundamentally reactive. If you have no signature, you have no extra
    > protection and have to wait until the vendor releases a signature (at which
    > time you remain safe for about an hour until the variants start popping up).
    > IMO all the guys doing "behaviour blocking", "deep inspection" blah blah
    > blah are onto a much better bet. Signatures are basically sucky.

    Oh hell, if you want to speak about deep inspection, why not think of it
    like this:
    Deep inspection looks at the contents of a packet or group of packets,
    and tries to match it to known bad patterns. The packets are then
    allowed to go on.
    If we extend this concept and terminate the external connection on the
    inspection system, clean up the data, and then fire up a new connection to
    the internal system with properly reassembled packets, we have a proxy.
    So what it boils down to is that the deep inspection filters are just
    proxies done badly.

    > There are other flaws too, but I risk setting myself off on a rant.

    Oh come on, rants are fun.
    use rant;

    > [...]
    > > An IDS sitting behind a restrictive proxy firewall watching out for
    > > malicious events and restricting those from propagating is a
    > > good idea
    > > (eg, an antivirus sitting on a filtering system behind a gateway MTA
    > > stopping viruses which can bypass the simple checks offered
    > > by a MTA --
    > > zip files for example).

    Eeek, I phrased that really badly. The AV filter w/ MTA was an example
    of a restrictive proxy firewall. An IDS sitting behind such a system
    trying to detect malware patterns is a good idea.
    > To my mind, the use of AV mail relays is not even remotely like
    > IDS-Firewalls in scope, technology or implication.

    Sorry, bad wording.

    > > > vendors think H-IPS (Host Intrusion Prevention
    > > > Systems) is more exciting - presumably by virtue of being
    > > tantalisingly
    > > > vague.
    > >
    > > Hardening every host is not a bad idea. However, this needs to be
    > > designed into the system and not patched in from above as a bandaid.
    > > MAC are a good idea, but in those cases where they are too complex,
    > > simplistic ACLs can be used instead. These MUST be built into the OS
    > > kernel and not used as bandages on top of a broken system.
    > >
    > > As MJR argued in the above mentioned thread, trying to fix a broken
    > > system is a waste of time and not worth the effort.
    > I see the lines are drawn! ;)
    > Well, as _I_ said in that thread, it is possible to do a pretty damn good
    > job of bolt-on protection for both Windows and Linux (the systems that need
    > it the most), without designing it into the kernel in the first place.

    You mean, on a filesystem like FAT32?
    The problem is that the bolt on protection has spectacular failure
    Host hardening includes setting up appropriate ACLs/filesystem
    permissions, using the most restrictive permissions, not having
    processes run as administrator, or root, ensuring that processes cannot
    access each others address space or files.....

    > "Dumb" systems like stackguard, linux / windows kernel modules that do some
    > simple function hooking, detecting system calls made from writeable memory
    > and the like are NOT rocket science.

    Kernel modules are in kernel space, by definition.
    > These systems provide concrete benefits, and have the advantage of being
    > available right now. Simplistic systems, many even freeware, can stop about
    > 99% of in-the-wild exploits cold. Personally, I call that "worth the
    > effort".

    I agree. We have good tools available now. What we are missing is the
    administrators to use those tools properly.

    Microsoft Windows has really bad defaults. All that is being asked of them
    is that they set better defaults, and not require users to run as
    administrators all the time. Oh, and do not start up all those services
    at boot time.

    Of course, hitting users over the head with iron bars is likely to work
    better in the long run.

    > While wishing for mainstream OS'es with decent memory protection and
    > security designed in from the kernel, please add World Peace to your list,
    > and possibly a pony.

    World peace, dunno. I can wish for the pony though.
    /me adds a pony for Ben to the wish list.

    > [...]
    > > I just had a discussion today with someone who makes money
    > > cleaning the
    > > computers of home users from viruses/spamware/crapware. [...]
    > > his arguments boiled down to
    > [lambda users are technology challenged]
    > > Is any vendor offering a usable fix for this type of market
    > > (small but regular payments from a large volume of customers)?
    > Yes. Not us, but there are loads of "AV + PFW + Anticrapware" products which
    > are quite adequate for home users. Hell, the Windows ICF, "High Security"
    > browser setting and a copy of Spybot is adequate for home users. It's just

    "High security browser setting" results in sites throwing up warnings or
    simply not working. This is just not going to work in /that/ market.

    > that nobody does anything until the fifth time they have had their PCs
    > cleaned. In fact, probably most of them wouldn't even do _that_ if the thing
    > didn't start running like a dog.

    Hell, it is usually too much effort for most home users to pay attention
    to what their computer is doing. What we need is a big red light on the
    screen that keeps blinking if unpatched software is lying around.
    Microsoft is on the right path for this, but they have a very long way
    to go before they can be said to be good enough.

    Of course, this breaks the one size fits all model of vendors, (since
    this is completely inappropriate for the corporate environment) but that
    is a wholly different rant.

    As yet another point, the size of patches is very large and it really
    hits users on dialups.

    > OK, new thread name, fightin' words, let's go... ;)

    Right! Up, up and away!

    Devdas Bhagat
    firewall-wizards mailing list

  • Next message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop"

    Relevant Pages

    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
    • RE: Thinking about Security rules...
      ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    • Re: Is IDS/IPS worthless?
      ... > firewall instead of in front of it should BOTH ... > fill in the gap left by the false sense of security firewalls give (a ... > network services, and it is on the traffic related to these services ... IDS technology and I certainly believe in the usefullness of IDS. ...
    • Gartner comments (was Re: Rather funny; looks like page defacement to me)
      ... All IDS systems produce falses. ... In fact, all network security ... firewall monitoring long before they deployed their first IDS. ... Gartner, you really missed the boat on this one. ...
    • [Full-Disclosure] Beyond black, white, and grey: the Yellow Hat Hacker
      ... Their rants -- when they are not trying to shock ... The security industry is falling into a horrible ... "The security industry is full of snake oil salesmen -- BEWARE". ... >> hacker because I don't break into peoples systems (blackhat activity) I ...