Home > Information Security Magazine > Features > On the Line
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

On the Line
by Ed Skoudis & Mike Poor
Issue: Nov 2005
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >

Detecting and Blocking Attacks
We tested how these IPSes handled some of the most common attacks of the last few years. If a tool missed common attacks that are a year old or older, there's concern about the vendor's underlying approach to defining signatures.

Why IDS is still in the game
In 2003, Gartner declared, "IDS is dead," thus predicting its eclipse by IPS by 2005. On the surface, it seemed logical: Why stop at just detecting attacks when you can block them? But the IDS vs. IPS question is far more complex.

Does IPS eclipse IDS? We think not, given the very nature of what IPS is trying to do. The philosophy of IDS and IPS collide around the mantra, "To block is ideal, to detect is a must." If you think in terms of a pyramid, policy is on the bottom and governs the overall strategies we employ to secure our networks. Enforcement rides above policy, and at the top of the pyramid, we place audit, where we monitor the network for deviations from policy. In this scheme, IPS clearly falls under policy enforcement, IDS under audit. No matter how strict your policies are and how good your IPS is, we still want to know what gets through, leaving an important role for IDS.

IDS signatures tend to be more comprehensive than IPS signatures because they can be applied without fear of dropping legitimate traffic. Because most IPS tools focus on blocking attack patterns, they have to be configured carefully so that they don't inadvertently block legitimate traffic when a false positive occurs. That's likely why many of the IPS tools we tested didn't detect even some of the most common attacks.

Furthermore, when we discussed some of the attacks that various vendors allowed through, they noted that unambiguously detecting a given complex attack (particularly recent variants of the RPC-DCOM attack) would seriously lower the performance an inline appliance requires. Thus, some vendors choose to err on the side of merely alerting or even missing more complex attacks rather than slowing traffic.

Nonetheless, IPS tools can augment security. Rather than asking if IPS should replace IDS, think about it as an extension of our firewalls, which allow traffic for certain services, blocking all other services, with a default policy of, "Deny all except that which is explicitly allowed." IPS operates on the premise, "Allow everything except traffic that matches a set of attack signatures." Thus, for those specific services that are required to pass through a firewall, the IPS tool can block attack patterns.

IPS is not a category killer. IDS provides value for detecting malicious behavior, firewalls allow traffic for required services while blocking all others, and IPS tools help to police this required traffic, blocking many possible attack attempts.

-- Ed Skoudis & Mike Poor

We chose to attempt the following four attacks:

  • The IIS Unicode exploit, which was originally published in October 2000, launched by hand from our Web browser.
  • The Windows RPC-DCOM buffer-overflow attack, which was originally published in July 2003 and later included in the Blaster worm, launched from several versions of Metasploit and Core IMPACT.
  • The Windows LSASS buffer-overflow attack, which was originally published in April 2004 and included in the Sasser worm, launched from Metasploit and Core IMPACT.
  • The Windows SSL PCT buffer-overflow attack, which was originally published in April 2004, launched from Metasploit.
One of the biggest issues with signature-based detection is the ability to detect signs that a given vulnerability is actually being exploited, rather than merely detecting individual specimens of exploit code, which an attacker can simply modify to evade detection. The not-yet-complete transition from detecting individual exploits to detecting vulnerability exploitation is likely the primary reason we see variations of the same exploit evading these devices.

ISS performed best on these tests, blocking all of our common attacks except a somewhat subtle variation of the Unicode exploit.

Top Layer also did well, blocking all attacks except the RPC-DCOM exploit from both Metasploit 2.0 and Core IMPACT. Ironically, Top Layer blocked this exploit from newer versions of Metasploit, but Core IMPACT and the older tactics of Metasploit version 2.0 slipped by its detection mechanisms. This raises an important point: Many security experts try to ensure that their devices block the latest and greatest attacks, and often forget to test earlier versions. IDS and IPS tools may break or delete a previous rule in favor of the newest signatures.

Sourcefire detected everything except the RPC-DCOM exploit from Metasploit 1.0, but blocked only three attacks, reflecting its conservative approach for initial configuration prioritizing alerting. The IPS tool snagged all of the RPC-DCOM attempts from more modern exploits, but the original RPC-DCOM exploit flew under its radar screen.

Cisco blocked only the older variations of RPC-DCOM, while admitting some based on newer Metasploit versions and Core IMPACT. Radware scored lowest, allowing some variations of RPC-DCOM and LSASS attack through the device, without any alert.

Handling Evasion Tactics
Beyond altering the contents of the exploits themselves, other evasion tactics tweak the exploits' appearance on the network in an effort to confuse an IPS or IDS tool.

Fragrouter, a tool originally released in 1999, provides more than two-dozen methods for altering attack packets at the network layer. Many of these mechanisms slice and dice attack packets into smaller and sometimes overlapping fragments. Other mechanisms manipulate TCP connections, such as faking a connection drop with a TCP FIN/RESET packet with a bad checksum. Checking embedded protocol checksums for all packets can be problematic for IPS tools, because the processing can slow performance.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts