Firewall Wizards mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Gabriele Buratti <gabriele.buratti () netasq com>
Date: Wed, 08 Feb 2006 04:20:47 +0100
Ben Nagy wrote:
- when used as reverse proxies for incoming connections you always have that listening ports on the proxy-firewall. Listening ports means attackable ports.Absolute FUD! Any time you're parsing network traffic you're prone to attack, whether or not the port is open. The only attacks you're mitigating by 'no open ports' are pure attacks against the TCP/IP stack of the network appliance. The Snort BO preprocessor and the million remote ethereal attacks should be clear warnings here.
Ouch ... probably victim of my own marketing here :o
Well sure, you can use the term, but will it deliver? Let's take the WMF 0day as an example. I will bet $$$ that no IPS stopped it on release day, unless they stopped all WMF. In fact, I'd be prepared to bet $$$ that no IPS stops it _now_ if you don't count stopping one or two versions of existing, published POC. There are about a million ways I can get a malicious WMF to an unpatched host. How about inside an SSL web page as an IFRAME? Chunked? MTU-aligned? What about the metasploit randomised Escape() pad version? Here's HDM (one of the metasploit guys, in case anyone lives under a rock): "there are so many ways to encode a valid WMF graphic that any signature-based IDS is going to fail at least one case. For example, there three different optional headers that can be placed before the real WMF header. You can insert megabytes of filler data between the vulnerable record types and even with a by-the-spec WMF preprocessor, you can abuse bugs in the GDI api to specify invalid record types that are still accepted."
0day is magic, but not always magic. It works in certain cases, and today looks like one of the best things one can do. Probably one day we'll laugh at 0day word like today we're laughing at the old myth of the IDS being the best security solution.
gabriele
Attachment:
gabriele.buratti.vcf
Description:
Current thread:
- Re: IPS vs. Firewalls (why vs. ?), (continued)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Richard Stiennon (Feb 08)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls (why vs. ?) Chris Byrd (Feb 08)
- RE: IPS vs. Firewalls (why vs. ?) Ben Nagy (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls Julian M D (Feb 03)