RE: Deep Inspection Firewall / IPS



Hi, Tony,

Firstly, an IPS inspects the payload of your network packet for
malicious data that is way its good to have in inspecting http 80. ( not
https - this is encrypted). Hence I do not see what a NAT will bring
here. NATs are used for traffic mapping.

Just use IPS, that will get the job done.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Tony Raboza
Sent: 29 October 2008 13:16
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Deep Inspection Firewall / IPS

Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS. From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https). But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT? Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)? What if only port 80/443 was port-forwarded? Can the
attacker open up a shell?

Questions:
1. Am I correct in my statements above?
2. If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony

-----------------------------------------
Information in this email including any attachments may be
privileged, confidential and is intended exclusively for the
addressee. The views expressed may not be official policy, but the
personal views of the originator. If you have received it in error,
please notify the sender by return e-mail and delete it from your
system. You should not reproduce, distribute, store, retransmit,
use or disclose its contents to anyone.

Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.

SKY and the SKY marks are trade marks of British Sky Broadcasting
Group plc and are used under licence. British Sky Broadcasting
Limited (Registration No. 2906991), Sky Interactive Limited
(Registration No. 3554332), Sky-In-Home Service Limited
(Registration No. 2067075) and Sky Subscribers Services Limited
(Registration No. 2340150) are direct or indirect subsidiaries of
British Sky Broadcasting Group plc (Registration No. 2247735). All
of the companies mentioned in this paragraph are incorporated in
England and Wales and share the same registered office at Grant
Way, Isleworth, Middlesex TW7 5QD.