Firewall Wizards mailing list archives

Re: IPS vs. Firewalls (why vs. ?)

From: Gabriele Buratti <gabriele.buratti () netasq com>
Date: Wed, 08 Feb 2006 04:20:47 +0100

Ben Nagy wrote:

- when used as reverse proxies for incoming connections you
always have
that listening ports on the proxy-firewall. Listening ports means
attackable ports.


Absolute FUD! Any time you're parsing network traffic you're prone to
attack, whether or not the port is open. The only attacks you're mitigating
by 'no open ports' are pure attacks against the TCP/IP stack of the network
appliance. The Snort BO preprocessor and the million remote ethereal attacks
should be clear warnings here.


Ouch ... probably victim of my own marketing here :o

Well sure, you can use the term, but will it deliver? Let's take the WMF
0day as an example. I will bet $$$ that no IPS stopped it on release day,
unless they stopped all WMF. In fact, I'd be prepared to bet $$$ that no IPS
stops it _now_ if you don't count stopping one or two versions of existing,
published POC. There are about a million ways I can get a malicious WMF to
an unpatched host. How about inside an SSL web page as an IFRAME? Chunked?
MTU-aligned? What about the metasploit randomised Escape() pad version?

Here's HDM (one of the metasploit guys, in case anyone lives under a rock):

"there are so many ways to encode a
valid WMF graphic that any signature-based IDS is going to fail at least
one case. For example, there three different optional headers that can be
placed before the real WMF header. You can insert megabytes of filler
data between the vulnerable record types and even with a by-the-spec WMF
preprocessor, you can abuse bugs in the GDI api to specify invalid record
types that are still accepted."

0day is magic, but not always magic. It works in certain cases, andtoday looks like one of the best things one can do. Probably one daywe'll laugh at 0day word like today we're laughing at the old myth ofthe IDS being the best security solution.



        gabriele

Attachment: gabriele.buratti.vcf
Description:

Current thread:

Re: IPS vs. Firewalls (why vs. ?), (continued)
- - - Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Richard Stiennon (Feb 08)
    - Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
    - Re: IPS vs. Firewalls (why vs. ?) Chris Byrd (Feb 08)
    - RE: IPS vs. Firewalls (why vs. ?) Ben Nagy (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls Mark Teicher (Feb 02)
  - Re: IPS vs. Firewalls Julian M D (Feb 03)