Security Basics mailing list archives
Deep Inspection Firewall / IPS
From: "Tony Raboza" <tonyraboza () gmail com>
Date: Wed, 29 Oct 2008 21:15:49 +0800
Hi, I'm trying to get my company to buy a firewall with deep-inspection capabilities or IPS. From my research what is really needed is a deep inspection firewall/IPS - because a stateful packet inspection will not do. For example for a web server - you close off all the ports except port 80 /443 (http/https). But threats/malware can come in through port 80 disguising itself as normal http traffic, so we need a firewall which would inspect this - hence the need for deep packet inspection/IPS. But what if we also do NAT? Can malware still come in through port 80? I've been reading this - "Red Hat 8 Compromise" - http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my thought on this one is that if the honeypot RH8 was NATted could the attacker have opened up a shell which might either be port 22 (ssh) or 23 (telnet)? What if only port 80/443 was port-forwarded? Can the attacker open up a shell? Questions: 1. Am I correct in my statements above? 2. If I am correct - can you give me real-world examples of exploits that come in through port 80/port 443 which can compromise a Unix/Linux webserver as well as a Windows web server? Thanks, Tony
Current thread:
- Deep Inspection Firewall / IPS Tony Raboza (Oct 29)
- Re: Deep Inspection Firewall / IPS Adriel Desautels (Oct 29)
- RE: Deep Inspection Firewall / IPS Abimbola, Abiola (Oct 29)
- RE: Deep Inspection Firewall / IPS Serge Vondandamo (Oct 29)
- RE: Deep Inspection Firewall / IPS Bryan S. Sampsel (Oct 29)