Archive for 'IPS'

 Powered by Max Banner Ads 

Intrusion Prevention and SSL Inspection

There was a good article recently on PaulDotCom related to bypassing an IDS using SSL. This is a common problem with any IPS/IDS.

Lets first understand how an Intrusion Detection System can inspect SSL traffic. There are two primary ways vendors have implemented SSL decryption.

The first way is through the use of a dedicated appliance; such as a Netronome device. In this scenario the traffic is redirected to the offload appliance and decrypted. The decrypted traffic is then sent to the IPS/IDS for inspection.

The second method is where the traffic is decrypted on the intrusion prevention appliance.

Both of these scenarios have their benefits and drawbacks but they both require access to the private key of the certificate for the site being access. The certificate is loaded on the device and then traffic can be decrypted. This presents a problem when you do not have access to the private and is why the example from PaulDotCom works so well. This is also why attackers will encrypt their outbound traffic and easily evade IPS/IDS devices.

To counter this threat companies can you other solutions such as web gateways to redirect all SSL traffic to a web gateway where a certificate is installed on system to allow decryption of outbound traffic, think “man-in-the-middle” attack but performed by your company.

We will release some videos in the future showing how to do this.





Virtual IPS vs. Virtualized IPS

Virtualization is a top priority for most organizations today. Security of these virtualized environments should also be a top priority and in the Intrusion Prevention market most vendors are developing or have developed virtual or virtualized solutions.

The terms virtual IPS and virtualized IPS have different meanings and I want to take some time to attempt to differentiate these terms. Most vendors have had virtual IPS for many years. Virtual IPS is the ability to apply different polices to certain types of traffic. This could be done using VLAN tags or physical interfaces. IBM does this using the Protection Domains feature which allows a different policy to be deployed to different VLAN’s. Mcafee does this by allowing different policies to be assigned to physical interfaces and can also support policies to be applied based no VLAN tags.

Virtualized IPS is what most of us think of today when we discuss virtualization. Virtualized IPS is an IPS appliance that runs in a virtual environment such as VmWare, Zen or Microsoft’s Hyper-V. The IPS is installed as a virtual server and can be configured so that all server to server traffic inside and outside the virtual environment can be monitored by an IPS.

It is important to be clear on these differences in terminology because not all vendors have virtualized IPS and most sales people will not know enough to properly answer the question, Do you support virtualization? Most will say yes, because they have heard their support teams talk about virtual IPS not virtualized IPS. Virtualized IPS will continue to grow in importance and eventually all the major Intrusion Prevention vendors will have these offerings. Until then do your homework and hold the vendors accountable.

Forrester Network Mitigation Report

I recently read the TechRadar for Security & Risk Professionals: Network Threat Mitigation, Q3 2009 by Forrester. This report reviewed 14 different threat mitigation categories. These included encryption, wireless IDS/IPS, UTM, Intrusion prevention, network access control,Web-content filtering and a few others.
It is obvious that the bad guys are highly organized and very skilled. The number and sophistication of attacks do not seem to be going down but instead increasing. Forrester identified three areas they see in their client companies:
  1. The current controls are either not able to prevent the type of threats we see today of the solutions and how they are used need to be re-thought.
  2. Companies fear inline protection. Even though many companies have successfully deployed Intrusion Prevention, there is a general fear the IPS will block legitimate traffic.
  3. Companies lack visibility into what is really happening on their networks. This is somewhat by design because what you do not know you do not have to address.
Forrester did a good job of grouping the type of technologies and providing a ranking on their business value. I agree in general with their assessments.
Business Value
Firewall Auditing
Network Encryption
Network Threat Modeling
Network Access Control
Email Security Gateway
Network Firewall
Vulnerability Scanners
Web Proxy
Application Firewalls
Wireless IDS/IPS
Forrester states that NBAD is declining and will be replaced with and NBA. Further they predict NBA will likely be added to other security appliances. I agree with this assessment and vendors are working hard to integrate NBA into their Intrusion Prevention systems. Mcafee will be doing this soon as well as IBM/ISS and Cisco already does this.
One item I noticed and this is likely a mistake on the part of the authors is that they listed Snort/Sourcefire in the IDS only category.  While I agree with the general categorization of Snort as an IDS only I do not agree with Sourcefire being in this category and I doubt Martin Roesch would either.
Forester rates Network Intrusion Prevention as a High business value and I would of course tend to agree but I may be a little biased.  They see their clients replacing older IDS based systems with IPS and relying on this technology as a key control in their network.  Many vendors are beginning to add other features to their IPS devices. Companies like IBM/ISS have limited DLP functionality in their network intrusion prevention devices and IBM/ISS recently released  web application firewall functionality.
Network Intrusion Prevention continues to be a key control used by businesses and is only going to continue to grow. I believe we will see IPS become a platform for more services like DLP and NBA similar to how firewalls have integrated IPS, content filtering and other technologies.

September Microsoft Bulletins

IBM/ISS Coverage

MS Bulletin Coverage Coverage Date
MS09-049 Scanner Only 1.59 September, 8 th 2009
MS09-048 XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130,


Multiple dates of coverage. 2006, 2008, 2009
MS09-047 XPU 20.90 September, 8 th 2009
MS09-046 XPU 20.90 September, 8 th 2009
MS09-045 XPU 20.90 September, 8 th 2009


MS Bulletin Coverage Coverage Date
MS09-049 NA
MS09-048 S430, S248, S431, S242 Multiple dates of coverage
MS09-047 S431 September, 8 th 2009
MS09-046 S431 September, 8 th 2009
MS09-045 S431 September, 8 th 2009


MS Bulletin Signature ID Coverage Date
MS09-049 Foundstone 7110
MS09-048 0x9E00, 7106 September, 8 th 2009, September 9 th, 2009
MS09-047 7108, 7109, 0x40265D00,0x40265E00 September, 8 th 2009, September 9 th, 2009
MS09-046 0x40266900 September, 8 th 2009
MS09-045 7098, 0x40266800 September, 8 th 2009, September 9 th, 2009

Detecting bot-nets

We here a lot about the rise of organized crime and the sophistication of the attackers. While this is true, in many cases I still see amateurish type attacks.

While reviewing an IPS I found the following messages. IPS still provides a great way to detect bot-nets and while there is an obvious problem on this network these IRC connections are being blocked by the IPS.

An interesting article related to this can be found here.

IRC Messages

:nick :msg
#usb Infected usb drive: E:

Interesting Nicknames to an IRC channel




This is the first post on the Intrusion Detection and Prevention blog. I plan to post information relating to these technologies, the vendors, etc. I hope you find it useful and interesting.