Security Basics mailing list archives

RE: Deep Inspection Firewall / IPS

From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Wed, 29 Oct 2008 11:46:08 -0700 (MST)


Sincerely,

Bryan S. Sampsel
LibertyActivist.org

An IPS is a good thing to have, and you can set up a Snort box for free to
get an IDS in place to start with.  With proof of concept, you can expand
to some commercial flavor you may think is better.

Beyond that, if you want to protect at the application layer (such as a
webserver), get a firewall with proxy-application in the mix (Secure
Computing Sidewinder is an excellent choice).  Its benefits are simple: a
hardened IP stack sits between you and the end device, protecting your
system from directly talking to the end device, its application proxy can
check for application specific attacks and defend against them more
effectively than DPI could ever do.

You can also ensure your webserver is up to date and as hardened as it can
be, regardless of the firewall in front of it.  Sloppy system security
leads to breeches despite the best firewalls in front of it.

Bryan Sampsel

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Tony Raboza
Sent: Wednesday, October 29, 2008 2:16 PM
To: security-basics () securityfocus com
Subject: Deep Inspection Firewall / IPS

Hi,

I'm trying to get my company to buy a firewall with deep-inspection
capabilities or IPS.  From my research what is really needed is a deep
inspection firewall/IPS - because a stateful packet inspection will
not do.

For example for a web server - you close off all the ports except port
80 /443 (http/https).  But threats/malware can come in through port 80
disguising itself as normal http traffic, so we need a firewall which
would inspect this - hence the need for deep packet inspection/IPS.

But what if we also do NAT?  Can malware still come in through port 80?

I've been reading this - "Red Hat 8 Compromise" -
http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
thought on this one is that if the honeypot RH8 was NATted could the
attacker have opened up a shell which might either be port 22 (ssh) or
23 (telnet)?  What if only port 80/443 was port-forwarded?  Can the
attacker open up a shell?

Questions:
1.  Am I correct in my statements above?
2.  If I am correct - can you give me real-world examples of exploits
that come in through port 80/port 443 which can compromise a
Unix/Linux webserver as well as a Windows web server?

Thanks,
Tony

Current thread:

Deep Inspection Firewall / IPS Tony Raboza (Oct 29)
- Re: Deep Inspection Firewall / IPS Adriel Desautels (Oct 29)
- RE: Deep Inspection Firewall / IPS Abimbola, Abiola (Oct 29)
- RE: Deep Inspection Firewall / IPS Serge Vondandamo (Oct 29)
  - RE: Deep Inspection Firewall / IPS Bryan S. Sampsel (Oct 29)