RE: Excluding the bulk of UDP from IPS processing - What's the impact?

["Addepalli Srini-B22160" <saddepalli () freescale com>]

I guess the question you are pondering on whether to send dynamic data
connection traffic (RTP in case of SIP, L2TP data connections) to IPS
for inspection. 

I would say YES. I don't have the list, but as recent as June/July of
this year, I saw vulnerability disclosures in some RTP implementations.


Thanks
Srini

+++++++++++++++++++++++++++++++
Srinivasa Rao Addepalli
Chief Software Architect
Software Products Division
Freescale Semiconductor Inc.
 
Ph: 408-904-2761
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Bikram Gupta
Sent: Thursday, August 27, 2009 4:27 AM
To: focus-ids () securityfocus com
Subject: Re: Excluding the bulk of UDP from IPS processing - What's the
impact?

Thank you all, for the response. I'm new to IPS, and so let me put my
understanding in a simple flow.

- Packet switching is not the bottleneck for my case, state
maintenance is. So I'm trying to reduce the # of states here - without
any sacrifice in security capabilities. If that's not possible, I want
to know.
- I've tuned the perimeter IPS policies to enable asset specific
protection (TCP/UDP/IP, HTTP, DNS, SIP, NFS, L2TP) - for example.
- Next, what I do is to bypass all UDP traffic (except ports for DNS,
SIP signalling, NFS, and L2TP connection setup port, and worms/bots
traffic ports) from IPS engine.

What can go wrong? My thinking is as follows:
1) the IPS is not configured to protect any other traffic - besides
dns, sip, nfs, l2tp setup)
2) The IPS capability is in detecting attacks being carried in
signalling/connection setup. Maybe wrong, this is how I thought.
(2a) SIP, for example. All the SIP signatures are inspecting the
signaling traffic directed to SIP server. Once the connection is
established, the RTP channel is voice traffic. And the processing
involved at the endpoint is mere voice/data encoding. So the scope of
attack on RTP channel is less.
(2b) L2TP for example. The connection setup is directed to a fixed
port of L2TP server, which then chooses a random port for data
transfer. Once the data transfer begins, the end host is part of
network and IPS (sitting before L2TP) cannot do much. So we place an
IPS just after L2TP server in the network.

Assuming I can configure my network traffic to allow only a set of
fixed UDP ports (sip, dns, l2tp etc) into IPS engine for inspection,
what can be the damage from security standpoint?

Thanks a lot.

Bikram



On 8/27/09, Addepalli Srini-B22160 <saddepalli () freescale com> wrote:
> I imagine that you want to reduce the load on IPS.
>
> If you are looking to protect any UDP Servers such as IKE, NFS, SIP,
> L2TP etc.., it is typically expected that IPS inspects the traffic of
> UDP sessions that were initiated by  un-trusted machines. Since many
IPS
> devices are stateful in nature, it is necessary to send packets from
> both client-to-server and server-to-client of these sessions to IPS
> devices. That is, I don't think sending the Out-to-in traffic alone is
> not good enough due to statefulness of IPS devices.  If IPS device is
> inline with the firewall, then I guess it is not a problem as it gets
> hold of all packets anyway. But, if it offline IPS device, then
firewall
> should have intelligence to pass traffic of these sessions to IPS
> device.
>
> Thanks
> Srini
>
>
>
> +++++++++++++++++++++++++++++++
> Srinivasa Rao Addepalli
> Chief Software Architect
> Software Products Division
> Freescale Semiconductor Inc.
>
> Ph: 408-904-2761
> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Bikram Gupta
> Sent: Wednesday, August 26, 2009 5:17 AM
> To: focus-ids () securityfocus com
> Subject: Excluding the bulk of UDP from IPS processing - What's the
> impact?
>
> Scenario: Perimeter IPS deployment, with Stateful firewall at the
egress
> point.
>
> Traffic from out to in: Firewall will block all unsolicited UDP ports.
> For the UDP ports where traffic is allowed (RTP data etc) through
> firewall, do I have to pass it though IPS engine? Will there be cases
> of exploits in such cases? Some examples please.
>
> Traffic from in to out: I believe IPS processing for UDP flows must be
> enabled here.. to detect some of the p2p, IM, skype, trojan etc
> traffic.
>
> I am trying to understand the impact, if I bypass the UDP flows from
> IPS device? Can this be done realistically for some UDP traffic
> (in->out, out->in), or NONE?
>
> Thanks a lot.
>
> Bikram
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server,
you
> can securely collect sensitive information online, and increase
business
> by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
> 17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194