Re: Deep Inspection Firewall / IPS



Tony,
ModSecurity reverse proxy or Bluecoat.


On Oct 29, 2008, at 9:15 AM, Tony Raboza wrote:

Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS. From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https). But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT? Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)? What if only port 80/443 was port-forwarded? Can the
attacker open up a shell?

Questions:
1. Am I correct in my statements above?
2. If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony

--

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

------------------------------------------------
Netragard, LLC - "The Specialist in Anti-Hacking"

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn



Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)