Re: Obfuscated web pages



I believe the question was pretty clear,
and so is the answer:

+ No -- today's networking products do not solve for this problem space.

(Problem == client side payloads obfuscated to be later
de-obfuscated and executed utilizing some scripting foo)

Far too much performance overhead, for one.
Real world deployment logistics limit inspection
abilities in most scenarios, especially with
encryption to meet regulations in play. Heck, some
of the IPS on the market today don't do full
bi-directional stream reassembly by default
for speed reasons, let alone full HTTP decoding.

Emulating some DOM assembly from the
XHTML/ECMAscript isn't possible today.
WAFs (web application firewalls) can barely
keep up with this, and that's all they do.

So, a "trustworthy network IPS" doesn't solve,
for this (or other webappsec issue).

An endpoint IPS might. I have limited experiences
with these (they won't, obviously, solve for the
webappsec issues leading to the planting and
distribution of said obfuscated hostile code).

A "locked down browser"? Where do I get one of those?

The DOM-proxy thing is technically feasible,
sure. However with the advent of rich media
and other web 2.0 stuffs both the technology
and the performance overhead of this problem
is getting much harder, much faster than the
feasibility of an inline DOM-based parser.

I like your comment about yesterday's news;
if things don't improve I too expect in the next
few years we'll see some changes to the browser
model sooner than we will see
inline-browser-emulation-for-security solutions.

Not that someone won't try it.

ciao

--
Arian Evans
software security stuff



On Thu, Feb 14, 2008 at 1:18 PM, Mike Barkett
<mbarkett@xxxxxxxxxxxxxxxxx> wrote:
You're really talking about the difference between client-based protections
and server-based protections. Let's not throw the baby out with the
bathwater; network IDS/IPS does much more than just "AV style malware
signatures for malicious web server issues." Most of today's IPS products
can quite deftly clean out a vast array of types of malicious activity,
whether automated or not, across a bevy of network protocols, not just web.

Regarding inline JS inspection, I've said it before and I still believe that
one day there will be a full DOM proxy product that is capable of running
inline. Yes, its speeds will lag other network devices, and yes, browser
attacks will probably be yesterday's news by then anyway, but it would be
foolish to suggest that it is theoretically impossible to do. In the
meantime, if you have embraced defense-in-depth and gotten yourself a
trustworthy network IPS, a thorough endpoint solution, and you use only
locked down browsers, then you'll be ok.

-MAB


--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512



> -----Original Message-----
>
>
> Are any current network based IDS/P systems able to unwind
> obfuscated web script to examine the final javascript product?
> It would seem they would have to have a javascript engine to
> do so and issues with reassembly, iterations, and delays
> would preclude them from doing it inline.
>
> Without this capability, it would seem that network based
> IDS/IPS is destined to digress to AV style malware
> signatures for malicious web server issues and that the only
> reliable place to do IDS/P would be on the host.
>
> We've been seeing more and more obfuscated web script and
> according to a recently released IBM report, the majority
> of exploits are taking this path.
>
> http://www.iss.net/x-force_report_images/2008/index.html
>
> Thoughts?
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • NADS ( was RE: IPS comparison)
    ... One thing that does bother me is how IPS has been ... great at the perimeter or other "choke points" in the network. ... NADS gives much of the value of traditional network ... that detection by itself is just not enough. ...
    (Focus-IDS)
  • RE: IPS Reliability/Availability
    ... Network critical do a range of inline taps in their v-line range. ... I know from the short time I worked for a Juniper reseller, the Juniper IPS ... Can you, please, share your possible bad experiences about the reliability ...
    (Focus-IDS)
  • Re: IPS, alternative solutions
    ... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
    (Focus-IDS)
  • RE: ASIC Based IPS
    ... IPS performs on each network stream can be done in parallel, ... There are 2 ways to achieve parallelism: ... The benefits of speed come about when you start using ASICs in parallel ...
    (Focus-IDS)
  • RE: adding another defence layer against viruses/worms
    ... I believe your looking for a Heuristic IPS, ... I like the solutions ob Boaz, especially network segregation. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)