RE: How to Save The World (was: Antivirus vendor conspiracy theories)

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Devdas Bhagat
[...]
> We need to publish a book of rants ;).

In all seriousness, I have often thought it would be cool to have a
'best-of' compilation from the archives. It would just be a freaking
nightmare for someone to read it all and pick 'em, sadly.

> > I blame the protocols more than the
> > proxies, but that's still how I see it.
>
> Some protocols are easier to proxy than others.

I'm sure that's what HTTP people were smugly thinking, before SOAP. ;)

> > [...]
> We don't disagree on everything. Only on the best way to slaughter the
> malicious.

Hmm. Evocative phrasing. Personally I am against capital punishment -
whipping, indentured servitude and the Dixie Chix should be severe enough.

> > [...]
> > > Wouldn't it be far easier for the A/V vendors to just ship an
> > > alternative browser
> >
> > No. That would be the commercial equivalent of stuffing hundreds of
> > marshmellows up their nostrils and hoping to burp cotton candy.
>
> Not really. An alternative browser would work as a better solution.
> Given that most of the exploits are IE specific, using 
> Firefox, or Opera
> would be a much nicer solution.

There is a strong possibility that the only reason there are less Firefox
vulnerabilities is because attackers can't be bothered attacking it. You may
notice that there have been several nasty bugs since it started becoming
more popular. 

That hypothesis won't be provable either way for a while yet, although I
acknowledge that it's an emotive issue. Everyone wants so badly to believe
that IE is 3vil and Firefox r0cks. Well, I'll agree with the first half and
reserve judgement on the second until it has been under hostile fire a
little longer.

In any case, changing away from IE is simply not going to happen for many
environments, and Desktop Support aren't liable to consider their AV vendor
to be the world authority on what browser they should be running.

[...]
> > the "firewIDS"[...]
>
> I think of it as proxies done wrong. Instead of trying to allow known
> good traffic through, they are attempting to filter out known bad
> traffic. That this approach does not work very well is a well known
> factoid, but this appears to be ignored. Those who do not learn from
> history are destined to repeat it and all that...

Well, in theory they should actually be "default deny plus", since you set
'em up just like a normal firewall, except that for the 'open' ports you
have another chance to catch attacks by inspecting the data you're allowing.

In theory.

[...]
> Ok, analogy time. A firewall is like a locked door.[...]

I love this quote. ;)

"If you are using a house analogy, you have stopped saying anything 
interesting about information security." - Dave Aitel, Sep 01 2004.

[...]
> > IMO all the guys doing "behaviour blocking", "deep 
> inspection" blah blah
> > blah are onto a much better bet. Signatures are basically sucky.
>
> Oh hell, if you want to speak about deep inspection, why not 
> think of it like this:
> Deep inspection looks at the contents of a packet or group of 
> packets, and tries to match it to known bad patterns. [...]
> So what it boils down to is that the deep inspection filters are just
> proxies done badly.

Yes. Deep inspection is application level smarts applied to network streams,
but really fast. 

"Any sufficiently advanced application proxy is indistinguishable from any
sufficiently advanced stateful inspection engine." - Carson Gaspar, 15 Apr
2000

Quotes for all occasions. :)

There are two reasons why I like "Deep Inspectotron Application Fireweasels
(DIAF)" better than true proxies.

1. You don't have to implement the whole damn thing, which leaves you more
time to get to grips with filtering out badstuff. This is the key reason
DIAF != "Proxy But Different"

2. You can do it way, way faster with little effort. It's very amenable to
turning into circuits.

Lots of people probably see 1. above as a negative, not a positive, and I
used to think that way as well. However, I do not believe that it is
possible to implement the same kind of strict proxy that we used to be able
to do with, say, SMTP or FTP. Given that vendors don't/won't/can't do that,
they make cop-out proxies for the tricky protocols, which basically just
take attack traffic and add 150ms latency. Like Gauntlet. (I can tease them
now they're dead ;) Rather than do that, why _not_ pull out known bad stuff
based on generic "you probably don't want that much data in this header", or
"I doubt this mail address is meant to contain a 300K uuencoded attack
payload" type rules.

Now I don't use DIAFs, we don't sell 'em, I have no vested interest, I just
think it's slighter nicer to have a DIAF than a plain ol' boring FW,
PROVIDED that it doesn't use IDS style signatures. I do not, however, think
that a DIAF goes any significant way to obviating the need for defence in
depth and host protection, as some marketeers will try to claim. It's more
like version upgrading your firewall than implementing a 'new' technology.

[me]
> > There are other flaws too, but I risk setting myself off on a rant.

Oops, I slipped.

> Oh come on, rants are fun.
> use rant;

You talked me into it.

[...]
> > > As MJR argued trying to fix a broken
> > > system is a waste of time and not worth the effort.
> >
> > Well, as _I_ said in that thread, it is possible to do a 
> pretty damn good
> > job of bolt-on protection for both Windows and Linux (the 
> systems that need
> > it the most), without designing it into the kernel in the 
> first place.
>
> You mean, on a filesystem like FAT32?

Ouch. Ok, you got me. FAT32 is bad, m'kay?

But, to be fair, I was thinking about 'real' operating systems.

[...]
> > "Dumb" systems like stackguard, linux / windows kernel 
> modules that do some
> > simple function hooking, detecting system calls made from 
> writeable memory
> > and the like are NOT rocket science.
>
> Kernel modules are in kernel space, by definition.

Yeah, but they're not designed in. They can be easily implemented as a
band-aid, which is my whole point.

> Microsoft Windows has really bad defaults.

Pet Peeve. Yes, OK, but they're getting better. I don't wail on Linux for
how crappy its security was back in 1999-2000 (well not much). XPSP2 is
actually moderately cool, from memory management up. Win2K3 likewise.

> All that is being 
> asked of them 
> is that they set better defaults, and not require users to run as 
> administrators all the time. Oh, and do not start up all 
> those services 
> at boot time.

Users have been able to not run as administrators since 'runas'. Kinda.

OK, I'm probably lying, I admit. *sigh*

> Of course, hitting users over the head with iron bars is 
> likely to work better in the long run.

[southern twang] "Ahhh lews mo' yewwwwsers that way!"

> > Hell, the Windows ICF, 
> "High Security"
> > browser setting and a copy of Spybot is adequate for home 
> users. It's just
>
> "High security browser setting" results in sites throwing up 
> warnings or
> simply not working. This is just not going to work in /that/ market.

Meh, OK, XPSP2 then. ;)

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards