IDS mailing list archives
RE: Obfuscated web pages
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Thu, 14 Feb 2008 20:01:32 -0500
I believe the question was pretty clear, and so is the answer: + No -- today's networking products do not solve for this problem space. (Problem == client side payloads obfuscated to be later de-obfuscated and executed utilizing some scripting foo)
I think everyone can agree on this.
So, a "trustworthy network IPS" doesn't solve, for this (or other webappsec issue).
It is but one component of an overall security architecture. You can scrutinize each piece individually and say it doesn't solve a problem and leave it at that, or you can look at how several components together can reduce your risk. As I mentioned, the network IPS is not really designed to solve this particular problem. In fact, during my years at NFR, I spent many conversations trying to convince various industry wonks that the client-side war cannot be won solely at the perimeter. We were among the few vendors who did not try to hoodwink customers into believing our network solution also protected them at the host/AV/webapp level. But, for its part, network IPS can at least help the cause with these actions: - alert/prevent unusual behavior as a result of a compromised client, - ensure your own web servers don't exacerbate the risk by being compromised, - perhaps do some limited NAC and rogue application prevention - look for telltale signs of very basic/common client-side vulnerabilities, thus reducing the garbage that the more specialized software must examine, - forbid certain file types (JS, ASX, etc.), if you so choose (very effective, although almost nobody can afford to do this anymore), - some limited DOM processing, as some other vendors have chimed in with.
An endpoint IPS might. I have limited experiences with these (they won't, obviously, solve for the webappsec issues leading to the planting and distribution of said obfuscated hostile code).
There is a lot of work being done in this arena, and I'd agree with the original poster that it's probably where some of the most thorough client-side prevention is/will be done.
A "locked down browser"? Where do I get one of those?
Speaking from one security professional to another, it is sufficient to just say "do it yourself" and you should know what I mean. (Use NoScript, Tamper Data, a virtualized browser, trust no sites by default, disable all the fun features, etc. and generally degrade your browsing convenience in the name of security.) I realize it's tougher when you're responsible for 1000's of users. However, it seems a bit like you're subscribing to the Perfect Solution Fallacy; just because we all know the concept of a secure browser is comical does not mean that current measures are totally worthless. This thread was destined to become hypothetical from the get-go. BTW yes, my company does have a product (in beta now) that is relevant to this part of the discussion. It is called ZoneAlarm Forcefield. However, I work on the network IPS side and really haven't played with it much, so I don't yet know how much of this theoretical stuff it does or aspires to do.
The DOM-proxy thing is technically feasible, sure. However with the advent of rich media and other web 2.0 stuffs both the technology and the performance overhead of this problem is getting much harder, much faster than the feasibility of an inline DOM-based parser. I like your comment about yesterday's news; if things don't improve I too expect in the next few years we'll see some changes to the browser model sooner than we will see inline-browser-emulation-for-security solutions.
Hmmm... interesting. Like maybe a completely virtualized, remote browsing experience, via some kind of ASP that hosts all the browsers? That could be cool. I doubt anyone will ever protect people from themselves, though, and in that sense phishing and data leakage will always, always be around.
Not that someone won't try it.
Exactly what I was thinking... not saying it's the greatest idea since sliced bread, but it'll eventually be feasible, and once it is, someone will productize it. And lots of people will buy it, primarily because it will promise a point solution for a distributed problem. -MAB
ciao -- Arian Evans software security stuff On Thu, Feb 14, 2008 at 1:18 PM, Mike Barkett <mbarkett () us checkpoint com> wrote:You're really talking about the difference between client-basedprotectionsand server-based protections. Let's not throw the baby out with the bathwater; network IDS/IPS does much more than just "AV style malware signatures for malicious web server issues." Most of today's IPSproductscan quite deftly clean out a vast array of types of malicious activity, whether automated or not, across a bevy of network protocols, not justweb.Regarding inline JS inspection, I've said it before and I still believethatone day there will be a full DOM proxy product that is capable ofrunninginline. Yes, its speeds will lag other network devices, and yes,browserattacks will probably be yesterday's news by then anyway, but it wouldbefoolish to suggest that it is theoretically impossible to do. In the meantime, if you have embraced defense-in-depth and gotten yourself a trustworthy network IPS, a thorough endpoint solution, and you use only locked down browsers, then you'll be ok. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512 > -----Original Message----- > > > Are any current network based IDS/P systems able to unwind > obfuscated web script to examine the final javascript product? > It would seem they would have to have a javascript engine to > do so and issues with reassembly, iterations, and delays > would preclude them from doing it inline. > > Without this capability, it would seem that network based > IDS/IPS is destined to digress to AV style malware > signatures for malicious web server issues and that the only > reliable place to do IDS/P would be on the host. > > We've been seeing more and more obfuscated web script and > according to a recently released IBM report, the majority > of exploits are taking this path. > > http://www.iss.net/x-force_report_images/2008/index.html > > Thoughts? > > -- > Gary Flynn > Security Engineer > James Madison University > www.jmu.edu/computing/security
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 21)