Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)

Ben Nagy wrote:
- when used as reverse proxies for incoming connections you
always have
that listening ports on the proxy-firewall. Listening ports means
attackable ports.

Absolute FUD! Any time you're parsing network traffic you're prone to
attack, whether or not the port is open. The only attacks you're mitigating
by 'no open ports' are pure attacks against the TCP/IP stack of the network
appliance. The Snort BO preprocessor and the million remote ethereal attacks
should be clear warnings here.

Ouch ... probably victim of my own marketing here :o

Well sure, you can use the term, but will it deliver? Let's take the WMF
0day as an example. I will bet $$$ that no IPS stopped it on release day,
unless they stopped all WMF. In fact, I'd be prepared to bet $$$ that no IPS
stops it _now_ if you don't count stopping one or two versions of existing,
published POC. There are about a million ways I can get a malicious WMF to
an unpatched host. How about inside an SSL web page as an IFRAME? Chunked?
MTU-aligned? What about the metasploit randomised Escape() pad version?

Here's HDM (one of the metasploit guys, in case anyone lives under a rock):

"there are so many ways to encode a
valid WMF graphic that any signature-based IDS is going to fail at least
one case. For example, there three different optional headers that can be
placed before the real WMF header. You can insert megabytes of filler
data between the vulnerable record types and even with a by-the-spec WMF
preprocessor, you can abuse bugs in the GDI api to specify invalid record
types that are still accepted."

0day is magic, but not always magic. It works in certain cases, and today looks like one of the best things one can do. Probably one day we'll laugh at 0day word like today we're laughing at the old myth of the IDS being the best security solution.


gabriele begin:vcard
fn:Gabriele Buratti
n:Buratti;Gabriele
org:NETASQ Italia;Presales
adr:;;via Giovanni da Udine, 34;Milano;MI;20156;Italy
email;internet:gabriele.buratti@xxxxxxxxxx
tel;work:+39 02 38093754
tel;fax:+39 02 38093752
x-mozilla-html:FALSE
url:http://www.netasq.com
version:2.1
end:vcard

Relevant Pages

  • Re: [Full-disclosure] Brute force attack - need your advice
    ... But please state a config that someone with experience can not get into, is more of a point that security is ever evolving. ... Yup it is security by obscurity and it will help against a script kiddie that won't take the time to scan all ports, thats why I suggested move to a high non-standard port. ... I'm not talking about downloading blacklists but dynamic firewall rules and scripting to achieve a dynamic list based on ranking of attacks against the box. ...
    (Full-Disclosure)
  • RE: New article on SecurityFocus
    ... I'm also curious how one could compromise a web server ... was it by way of the WMF exploit? ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Scanning Class A network
    ... >network to identify hosts and ports exposed to the Internet. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • RE: Scanning Class A network
    ... The network you're scanning will have changed significantly in the time ... Assuming you could build a cluster to check 100,000 ports per second, ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: Sniffing on a switch
    ... ALternativley ports can be spanned. ... switch, thus helping the sniffer. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)