RE: Checkpoint SmartDefense

THolman_at_toplayer.com
Date: 05/25/05

  • Next message: Bill Royds: "RE: SIM Tools, and endpoint security." 
    To: charles.fasching@milestonesystems.com, focus-ids@securityfocus.com
Date: Wed, 25 May 2005 06:23:29 -0400

    Hi Fergus,

    A very important point to consider is this -

    What do Blaster, Sasser and Slammer all have in common?

    They all generate SERIOUS amounts of network traffic.

    As a result, any IPS that does not also offer advanced rate-based protection
    will become so overloaded that it will bottleneck your network in terms of
    latency (or fall over).

    I've seen a number of IPS demonstrations in the past, where the vendor will
    turn up with a magic box that throws single exploit packets at their device,
    and hey presto, their device blocks it.

    What they don't tell you is that if you are a target or source of worm
    activity, you will literally see MILLIONS of these packets.

    Any IPS that cannot offer rate-based protection, in addition to
    content-based control, are accidents waiting to happen!

    Hope this helps!

    Regards,

    Tim

    -----Original Message-----
    From: charles.fasching@milestonesystems.com
    [mailto:charles.fasching@milestonesystems.com]
    Sent: 20 May 2005 20:41
    To: focus-ids@securityfocus.com
    Subject: RE: Checkpoint SmartDefense

    Another option that can be used instead of the default SQL injection
    protection is the "worm catcher" - you can write pretty good regular
    expressions here that are much more granular than the SQL Injection
    checks. Just keep in mind - I would never *ever* enable the worm
    catcher for "all traffic" - I would apply it to defined servers -
    otherwise - in large environments that serve a lot of HTTP traffic, it
    can and will bring your firewall to it's knees.

    Chuck "Spence" Fasching
    Senior Systems Engineer
    952.767.5111 - Office
    612.616.5080 - Mobile
    Milestone Systems
    charles.fasching@milestonesystems.com

    -----Original Message-----
    From: Ofer.Shezaf [mailto:Ofer.Shezaf@breach.com]
    Sent: Thursday, May 19, 2005 6:13 PM
    To: ferg; focus-ids
    Subject: RE: Checkpoint SmartDefense

    > From: Fergus Brooks [mailto:fergwa@gmail.com]
    > Sent: Wednesday, May 18, 2005 2:10 PM
    >
    ....
    >
    > I am getting some mixed messages regarding this feature.
    >
    > 1) Does it detect zero day attacks in real time and
    > recommend/implement remediation

    As my expertise is web applications security, I can comment only on the
    web (port 80/443) functionality of SmartDefence (as well as
    WebIntelligence, its younger sibling). SmartDefence may provide better
    value for other protocols.

    Zero day attack detection is a tricky business. Behind the marketing
    brochures, SmartDefence and WebInteligence are mostly misuse based (i.e.
    signature based) and therefore are not well adjusted to zero day
    protection.

    I personally feel that the signatures are also on the weak side for
    attacks such as SQL injection or XSS, especially since tighter security
    (that is more signatures) is usually not practical, as discussed below.

    >
    > 2) How intelligent is it?
    >

    The one feature that seems to be more intelligent is detecting of binary
    code in input. It also seems like the one that has potential to detect
    zero day attacks for buffer overflows. I don't have personal experience
    with this one (always off). Any input is welcomed.

    > 3) Is it difficult to configure & maintain?
    >

    It is actually too easy to maintain. It has very "buzzword" centric
    configuration (block "XSS", block "SQL injection" - no finer
    configuration).

    As configuration being is on the rough side I think that in real world
    situation many of the protections have to be either off or on low
    (options are usually: off, low, medium and high). For example, medium
    security for SQL injection includes detecting words such as select or
    join - both impractical in real world.

    Lack of fine grained configuration is not limited to signatures, it is
    also true for applications - the security level for each category is
    determined on a site level, so if you have an free text field that is
    prone to include the word "select" you cannot exclude it but rather have
    to lower security for the entire site.

    > 4) Is this feature different on the Interspect and standard FW-1 boxes
    >
    >
    > Any comments and real world examples greatly appreciated!
    >
    > Thanks & regards.
    >

    Bottom line - if web security is your concern this is hardly the way to
    protect your site. It may be better for other protocols. I would go for
    mod_security, which provides much better configurability for a much
    lower price, or a full blown application firewall which provides much
    more security.

    ~ Ofer

    Ofer Shezaf
    CTO, Breach Security
    Phone (US): +1 (760) 268.1924 ext. 702
    Phone (Israel): +972 (9) 956.0036 ext.212
    Cell: +972 (54) 443.1119
    ofers@breach.com
    http://www.breach.com

    ------------------------------------------------------------------------ 

    --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT. Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Bill Royds: "RE: SIM Tools, and endpoint security."

    Relevant Pages

    • Re: Vistas Security Rendered Completely Useless by New Exploit
      ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
      (microsoft.public.windows.vista.general)
    • Re: Vistas Security Rendered Completely Useless by New Exploit
      ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
      (microsoft.public.windows.vista.general)
    • RE: Checkpoint SmartDefense
      ... Another option that can be used instead of the default SQL injection ... protection is the "worm catcher" - you can write pretty good regular ... As my expertise is web applications security, I can comment only on the ... attacks such as SQL injection or XSS, ...
      (Focus-IDS)
    • RE: Definition of Zero Day Protection
      ... Definition of Zero Day Protection ... the security community tend not to understand zero day attacks. ...
      (Focus-IDS)
    • Re: Pelosi & Reid Will Not Like Progress Cited in Iraq Quarterly Report
      ... This is from 4 pages, less than 10 percent, of the report. ... Reid has called General Petraeus a liar for saying progress had been made in Iraq, and more recently he has called Petraeus and outgoing chairman of the Joint Chiefs,Marine Gen. ... Assessment of the Security Environment— ... the frequency and intensity of attacks on the ...
      (soc.retirement)