RE: Kernel sec. systems WAS: Why eEye Retina (was MBSA scanner)

From: Marc Maiffret (mmaiffret_at_eeye.com)
Date: 05/04/04

  • Next message: Filipe A.: "RE: PacketShaper"
    Date: Tue, 4 May 2004 01:07:54 -0700
    To: <pen-test@securityfocus.com>
    
    

    Okena "works" because no one knowledgeable has said otherwise. Okena has
    taken the same flawed approach as network IDS systems focusing on
    protecting from exploits, and not vulnerabilities specifically. Although
    they have done so by doing detection of exploits at the kernel level,
    instead of at the network level.

    Take the Microsoft RPC attacks as an example... Okena in its
    "behavioral" protection is for the most part protecting against the
    recent MS RPC attacks by denying bad "behavior" that is typically seen
    within most exploits. Specifically speaking, one of the ways they
    "protect" from the RPC attacks is to make sure that calls to
    LoadLibrary/GetProcAddy etc.. Are really coming from app code and not
    some random place on the heap (for example, could be other places,
    obviously...). Yes, this protection works, for now... Because everyone
    uses the same templates for exploiting windows flaws that have been used
    for years now. The main problem with something like Okena (and most
    other kernel-only) systems is that they do not start protecting
    applications until AFTER an attacker is executing code... And at that
    point it is game over. You can bypass ANY of these kernel protection
    systems. You could even use a local windows kernel flaw to do it in some
    cases: http://www.eeye.com/html/Research/Advisories/AD20040413D.html

    There are many other things wrong with the Okenas of the world, such as
    the usability nightmare of most of these "learning" systems. Also the
    fact that most of the time they stop an exploit by killing a thread, a
    process, or in some cases (Okena has the option) restarting the entire
    system. Therefore your "security" is now a system that denies code
    execution, in exchange for a denial of service. Which really is not that
    much better. I could go on and on but don't have the time now.

    And to clarify: I do not think all kernel protection systems are bad,
    including Okena. However, kernel protection alone is not enough and only
    has a very limited use in what it can do to truly help secure a system,
    marketing diagrams aside.

    Signed,
    Marc Maiffret
    Co-Founder/Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    -----Original Message-----
    From: Steve Goldsby (ICS) [mailto:sgoldsby@networkarmor.com]
    Sent: Monday, April 26, 2004 9:02 AM
    To: Steve Goldsby (ICS); Rainer Duffner; Doty, Stephen (BearingPoint)
    Cc: pen-test@securityfocus.com
    Subject: RE: Why eEye Retina (was MBSA scanner)

    CA's eTrust Vulnerability Manager is not a good product.

    We had a hard-sell demo in our office, and we were not impressed.
    Typical CA sales tactic, you can demo the box, but only for a week, and
    only if their engineer babysits it the whole time. It DOES however,
    enforce strong policy definition and management, which is where most
    organizations fall down. If you don't have policy, this box has less
    use.

    <get on high horse>
    Most organizations (in my experience) simply buy a vulnerability
    scanner, run it periodically, and patch what it tells them to patch.
    When a patch/fix breaks an application, they back it out. There is
    usually very little regard to what other security controls are in place
    to mitigate the risk.

    Basically, you're playing catchup all the time. Chase the patch, chase
    the vulnerability.
    </get on high horse>

    As an aside: to get around the "chase the patch" mess, look at Cisco
    Security Agent (formerly Okena). We run this on all our assets, and we
    are running the same binaries and same policy that we loaded **9 months
    ago** and we have not had a "hack" yet. No updates, no patches, no
    policy changes. We have clients that litteral have a 4 hour maintenance
    window each *quarter* and they cannot patch their boxes as patches
    become available. Okena/CSA gets around this problem beautifully. And,
    it plain works.

    This is what personal firewalls should have been doing all along.
     

    Steve Goldsby
    www.networkarmor.com
     

    -----Original Message-----
    From: Rainer Duffner [mailto:rainer@ultra-secure.de]
    Sent: Friday, April 23, 2004 5:50 PM
    To: Doty, Stephen (BearingPoint)
    Cc: pen-test@securityfocus.com
    Subject: Re: Why eEye Retina (was MBSA scanner)

    Doty, Stephen (BearingPoint) wrote:

    >How does something like CA's eTrust Vulnerability Manager product
    compare -
    >so that continual scanning is not required using ISS, Nessus, Retina,
    etc ?
    >
    >
    >

    How does this thing work then ?

    I mean, NeVO uses passive scanning, and Nessus-scanning, but this
    "thing" ?

    Oh, I see:

    "Q: How does eTrust Vulnerability Manager detect vulnerabilities? "
    "A: eTrust Vulnerability Manager uses non-intrusive methods to detect
    vulnerabilities on an asset through a two-step process. Step one is the
    identification of technologies running on an asset. This may be
    accomplished through manual input or automatically by eTrust"
    Vulnerability Manager Service, which identifies the version, patch and
    hot fix level of technologies running on an asset. This information is
    then correlated with CA s security database to identify the
    vulnerabilities that apply to the asset."

    Can anyone, who runs this, comment on wether this leads to lots of false

    positives/false negatives ?
    Does it need an agent ?

    And, to be honest, I can't stand "appliances" with specs like that:

    "eTrust Vulnerability Manager is an appliance-based solution that runs
    on Windows 2000 Server Platform and can be accessed by Internet Explorer

    5.0 and higher. "

    A 'security-appliance' with the most bug-ridden, most-exploited OS on
    the planet, to be used with the most bug-ridden, most-exploited
    application running on top of it ?
    And:

    "In addition, eTrust Vulnerability Manager Service supports: " IBM AIX "

    HP-UX " Red Hat Linux " Sun Solaris " Windows NT/2000/XP/Server 2003"

    Does that mean it only detects vulnerabilities on those OSs ? What about
    all the other stuff that floats around ? The printer that
    runs some form of embedded Linux with a vulnerable Apache ?

    Rainer

    ------------------------------------------------------------------------
    ------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors. Attend a course taught by an expert instructor with years
    of in-the-field pen testing experience in our state of the art hacking
    lab. Master the skills of an Ethical Hacker to better assess the
    security of your organization. Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    -------

    ------------------------------------------------------------------------
    ------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors. Attend a course taught by an expert instructor with years
    of in-the-field pen testing experience in our state of the art hacking
    lab. Master the skills of an Ethical Hacker to better assess the
    security of your organization. Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    -------

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------


  • Next message: Filipe A.: "RE: PacketShaper"