RE: Cisco CTR

["Michael Marziani" <marziani () oasis com>]

> -----Original Message-----
> From: Rob Shein [mailto:shoten () starpower net]
>
> There's nothing unsubstantiated about it at all.  Look at the
> code for some of the exploits, actually READ the code.

Do you honestly think that all the intrusion apps hackers write and use are
easily available?  Malicious hackers almost never share their trade secrets.

> in most situations.  The true definition of "immediately," meaning
"without
> delay," does not apply here. There is a delay, and while it can be very
> short, it is far longer than that of CTR's response, which truly is
> immediate.

So you can't envision any circumstance in which the Cisco CTR could be
bogged down just long enough to allow a patch to occur, or even easier, for
the hacking program to take over the port it just came in through and fake
the response that the patched program would give (i.e. exploit an apache
flaw, get root, shut down apache and run tiny custom daemon app in it's
place which advertises a version of apache without the flaw).  I just pulled
this off the top of my head, do you think hackers can't come up with
something even better?

I'm not slamming any product or offering like the Cisco CTR.  These are very
good products and protect in ways that few if any previous systems can.  I'm
just saying that no system is bulletproof and we should never underestimate
the opposition.

-Michael



> > -----Original Message-----
> > From: Michael Marziani [mailto:marziani () oasis com]
> > Sent: Friday, November 07, 2003 10:47 AM
> > To: Rob Shein; 'Gary Flynn'
> > Cc: 'Liran Chen'; focus-ids () securityfocus com
> > Subject: RE: Cisco CTR
> >
> >
> > > -----Original Message-----
> > > From: Rob Shein [mailto:shoten () starpower net]
> > >
> > > Yes, but nobody patches it THAT quickly.  CTR acts
> > immediately, not a
> > > half-hour later...it would have started scanning by the time the
> > > hacker at the other end notices that he has a shell...
> >
> > Please don't make unsubstantiated blanket statements like
> > that.  Hackers are skilled sysadmins and programmers who
> > create packaged hacking tools that not only search for and
> > exploit flaws to get them onto a system, but also install
> > programs, disable security features, and yes, patch servers
> > *immediately* once they get inside.
> >
> > A system like Cisco CTR might very well detect the attack
> > before the hacker's program has time to patch, but that all
> > depends on how good the hacker's program is, the state of the
> > network, etc.  I'd like to see the results of a live test of
> > such an event.
> >
> > If this type of attack can succeed as I think it could, I
> > think a solution would be for the IDS to keep a record of the
> > patch levels of every system in the network and allow those
> > patch levels to be updated only through an administrative
> > interface (requiring additional authentication and of course
> > increasing the administrative workload).  Then the system
> > wouldn't be fooled by this technique.
> >
> > -Michael
> >
> > Michael Marziani
> > IT Consultant
> > Entercede Consulting, Inc.
> >
> > > > -----Original Message-----
> > > > From: Gary Flynn [mailto:flynngn () jmu edu]
> > > > Sent: Thursday, November 06, 2003 5:58 PM
> > > > To: Rob Shein
> > > > Cc: 'Liran Chen'; focus-ids () securityfocus com
> > > > Subject: Re: Cisco CTR
> > > >
> > > >
> > > >
> > > >
> > > > Rob Shein wrote:
> > > >
> > > > > I think this largely relates to the earlier discussion
> > > > about how there
> > > > > is a difference between a "false positive" and an actual
> > > > attack that
> > > > > fails to succeed.  Ask yourself this: are you going to want to
> > > > > know about all attacks or just those that have a chance of
> > > > > success?  If someone throws IIS attacks at your apache
> > web server,
> > > > > do
> > > > you want to
> > > > > know about it...or do you want to wait until they start using
> > > > > apache-compatible exploits?
> > > > >
> > > > > There's a good summary of what CTR does here:
> > > > > http://www.cisco.com/en/US/products/sw/secursw/ps5054/
> > > >
> > > > Another thing to think about - some folks have a habit of
> > patching
> > > > the hole they came in through. Just because a vulnerability scan
> > > > shows no vulnerability it does not mean an attack was
> > unsuccessful.
> > > > --
> > > > Gary Flynn
> > > > Security Engineer - Technical Services
> > > > James Madison University
> > > >
> > > > Please R.U.N.S.A.F.E.
> > > > http://www.jmu.edu/computing/runsafe
> > >
> > >
> > > ------------------------------------------------------------------
> > > ---------
> > > Network with over 10,000 of the brightest minds in information
> > > security at the largest, most highly-anticipated industry
> > event of the
> > > year. Don't miss RSA Conference 2004! Choose from over 200 class
> > > sessions and see demos from more than 250 industry vendors. If your
> > > job touches security, you need to be here. Learn more or
> > register at
> > > http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> > > and use priority code SF4.
> > > ------------------------------------------------------------------
> > > ---------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------