RE: Deep Inspection Firewall / IPS

["Serge Vondandamo" <serge.vondandamo () orange fr>]

I will advice to start using Cisco NBAR (if you are running a cisco network)
for that purpose. Given the budget issues, I don't think you will easily get
money to buy out an IPS.

By using a combination of NBAR and QoS features you can achieve that with
the gear you already have in the network. Just be care full to upgrade
memories on your boxes or turn off some unnecessary services before turning
these technologies on.

Cheers,

Serge Vondandamo, CISSP, CCNA
Sr. Security Analyst

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Tony Raboza
Sent: Wednesday, October 29, 2008 2:16 PM
To: security-basics () securityfocus com
Subject: Deep Inspection Firewall / IPS


Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS.  From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https).  But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT?  Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)?  What if only port 80/443 was port-forwarded?  Can the
attacker open up a shell?

Questions:
1.  Am I correct in my statements above?
2.  If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?


Thanks,
Tony