Obsolescence of traditional defenses

Filed under IPS by on October 29, 2009 at 2:25 am {no comments}

I attended a lunch and learn event hosted by Bayside Solutions and presented by Paul Henry. Bayside Solutions provides these monthly lunch and learn events and they are top notch. They are unique in that they are not sales events but focus on providing relevant information on issues within Information Security. Paul Henry is extremely knowledgeable and well known in the security industry.

The discussion was on how traditional port based protections are not longer enough. This is spot on and not necessarily new but it a great point that needs to be reinforced. With the advent of Web 2.0 it is no longer necessary for an attacker to penetrate your firewall. They only need to wait for you to visit a compromised website.  Since very few companies block outbound HTTP or HTTPS it is virtually impossible to prevent these attacks. The only way to prevent these attacks is to use more protocol based defenses. An example, would be Intrusion Prevention. I see malicious IRC traffic being blocked on a daily basis that is not using standard IRC ports.  Also many applications such as Instant Messaging clients will attempt to use different ports to find a way out of the network. When vendors develop products to bypass filters it is officially game over!

This doesn’t mean we eliminate our traditional firewalls but more is needed to provide true defense in depth protection. As Paul mentioned defense must be moved closer to the endpoint. Good old fashioned patch and system management would reduce these attacks but this is much harder to do than buying a new appliance to put on the network. :-)

Gumblar is back or never left

Filed under IPS by on October 22, 2009 at 7:48 pm {no comments}

ISS X-Force has raised the AlertCon to 2 because of increased Gumblar activity. Gumblar has updated the exploits it uses to take advantage of recent Adobe and Microsoft vulnerabilities. Unlike the previous version, the new and improved version hosts the exploits on the compromised web server and infects clients as they visit the website.
Microsoft October Bulletins

http://bit.ly/jg0jh

Adobe Updates

http://bit.ly/49Y6nA

IBM/ISS Signatures to detect Gumblar

http://bit.ly/18avBV

PDF_JavaScript_Exploit
PDF_Obfuscated_Stream
PDF_Encoded_JavaScript_Tag
PDF_JavaScript_Hex
PDF_JavaScript_Detected
PDF_Shellcode_Detected
Multimedia_File_Overflow
JavaScript_Obfuscation_Rue (PDF obfuscation)
Swf_Suspicious_ActionScript (Flash obfuscation)

October Microsoft Updates

Filed under IPS, Microsoft Security Bulletins by on October 17, 2009 at 1:57 am {no comments}

IBM/ISS
MS Bulletin
Coverage
Coverage Date
MS09-050
XPU 29.091
9/11/2009
MS09-051
XPU 29.091
9/11/2009
MS09-052
XPU 29.1
10/13/2009
MS09-053
XPU 29.1
Multiple Signatures and dates
MS09-054
XPU 29.1
Multiple Signatures and dates
MS09-055
XPU 29.1
Multiple Signatures and dates
MS09-056
XPU 29.08
8/11/2009
MS09-057
XPU 29.1
10/13/2009
MS09-058
Scanner Only
10/13/2009
MS09-059
MS09-060
Scanner Only
10/13/2009
MS09-061
XPU 29.09
9/8/2009
MS09-062
XPU 29.09
Multiple Signatures
Cisco
MS Bulletin
Coverage
Coverage Date
MS09-050
S438,S441
Multiple Dates
MS09-051
S441
10/13/2009
MS09-052
S441
10/13/2009
MS09-053
S441,S430
Multiple Dates
MS09-054
S441
10/13/2009
MS09-055
MS09-056
S441
10/13/2009
MS09-057
S441
10/13/2009
MS09-058
MS09-059
MS09-060
S422
8/4/2009
MS09-061
S441
10/13/2009
MS09-062
S441
10/13/2009

Mcaffe and IBM Comparison

Filed under IBM, IPS, Mcaffe by on October 6, 2009 at 6:07 pm {no comments}
IBM
Device
GX4004
GX5008
GX5108
GX5208 (more…)

Forrester Network Mitigation Report

Filed under IPS by on September 26, 2009 at 9:07 pm {one comment}

I recently read the TechRadar for Security & Risk Professionals: Network Threat Mitigation, Q3 2009 by Forrester. This report reviewed 14 different threat mitigation categories. These included encryption, wireless IDS/IPS, UTM, Intrusion prevention, network access control,Web-content filtering and a few others.
It is obvious that the bad guys are highly organized and very skilled. The number and sophistication of attacks do not seem to be going down but instead increasing. Forrester identified three areas they see in their client companies:
  1. The current controls are either not able to prevent the type of threats we see today of the solutions and how they are used need to be re-thought.
  2. Companies fear inline protection. Even though many companies have successfully deployed Intrusion Prevention, there is a general fear the IPS will block legitimate traffic.
  3. Companies lack visibility into what is really happening on their networks. This is somewhat by design because what you do not know you do not have to address.
Forrester did a good job of grouping the type of technologies and providing a ranking on their business value. I agree in general with their assessments.
Technology
Business Value
Firewall Auditing
Low
Network Encryption
Negative
Network Threat Modeling
Negative
Network Access Control
Low
UTM
Low
Email Security Gateway
High
Network Firewall
High
Vulnerability Scanners
Medium
NBAD
Negative
IDS
Negative
IPS
High
Web Proxy
Medium
Application Firewalls
Low
Wireless IDS/IPS
Medium
Forrester states that NBAD is declining and will be replaced with and NBA. Further they predict NBA will likely be added to other security appliances. I agree with this assessment and vendors are working hard to integrate NBA into their Intrusion Prevention systems. Mcafee will be doing this soon as well as IBM/ISS and Cisco already does this.
One item I noticed and this is likely a mistake on the part of the authors is that they listed Snort/Sourcefire in the IDS only category.  While I agree with the general categorization of Snort as an IDS only I do not agree with Sourcefire being in this category and I doubt Martin Roesch would either.
Forester rates Network Intrusion Prevention as a High business value and I would of course tend to agree but I may be a little biased.  They see their clients replacing older IDS based systems with IPS and relying on this technology as a key control in their network.  Many vendors are beginning to add other features to their IPS devices. Companies like IBM/ISS have limited DLP functionality in their network intrusion prevention devices and IBM/ISS recently released  web application firewall functionality.
Network Intrusion Prevention continues to be a key control used by businesses and is only going to continue to grow. I believe we will see IPS become a platform for more services like DLP and NBA similar to how firewalls have integrated IPS, content filtering and other technologies.

Detecting bot-nets

Filed under IPS by on August 20, 2009 at 10:52 am {one comment}

We here a lot about the rise of organized crime and the sophistication of the attackers. While this is true, in many cases I still see amateurish type attacks.

While reviewing an IPS I found the following messages. IPS still provides a great way to detect bot-nets and while there is an obvious problem on this network these IRC connections are being blocked by the IPS.

An interesting article related to this can be found here.

IRC Messages

:nick :msg
#usb Infected usb drive: E:

Interesting Nicknames to an IRC channel

VirUs-rigvgunl
VirUs-rflkbvny
VirUs-rexehaxz
VirUs-rcpcmobp
VirUs-rboinhcv
VirUs-raquheuv
VirUs-raozodkn
VirUs-racgucrn
VirUs-quyozuoc
VirUs-qufnunld
VirUs-msubtplz
[03|MEX|XP|981734]
[03|MEX|XP|444546]

Page 5 of 6«123456»

Switch to our mobile site