Ayoi's

Recently one of my friends performed penetration testing on one of our client’s networks. Well most of the times the penetration testing will be done based on “white box” testing technique and yeah sometimes the client of cause request “black box” technique as well. And sometimes we just performed both of these techniques also. During the “black box” session, he mentioned that it seems that this particular client has some sort of content filtering device or mechanism that managed to block most of his attack assessment techniques. I assume that this client has an IPS installed on their network. No, this is not IPS bashing posting from me OK?

http://www.thetechherald.com/article.php/200817/811/

OK.. So after few more others failed attempts on manipulating the user queries, my friend decided to (based on what he told me) use the old IDS evasion techniques like fragmentation overlaps and fragmentation overwrite with little expectation but voilà, he managed to bypass the IPS or content filtering devices of that client. Of cause he executed his next tasks happily and I think he is lil bit astonished by how these filtering devices still can be deceived by old techniques.

http://archive.networknewz.com/networknewz-10-20021016NetworkDenialofServiceAttacksCanyouhackit.html

Actually it is quite difficult for me to comment on this because this is based on my friend’s story and I was not there to see the actual technique that my friend used to bypass the IPS (my assumption but my friend told me that the client did mention on their content filtering device). Maybe he used the fragmentation techniques to evade the IPS, and maybe he combines that technique with other as well.

Anyhow here is my view on this matter.

http://www.markhoustonrecovery.com/relapse_prevention_.php

This condition does prove few things. First of all, it shows that prevention eventually fails. To be honest with you, I do really love that phrase. I do not know about you but most of the time I always being asked on the necessity of having IDS since IPS managed to do what ever IDS meant to do and on top of it, instead of only detecting, it also can perform active responses like reject or deny. Some of my students in my training classes also express their intention of removing the IDS since they have or acquired the latest content filtering appliance.

OK. Maybe they were right. Why you still want to keep the “old” technology since the “latest” one is available where the “latest” is the enhancement or evolution of the “old” one? Hmm but then perhaps most of us forgot that the “holy grail” of IDS is to achieve minimum or better still 0 false positive outputs from these IDSes (which in practice is impossible). I believe these “enhanced” technology also inherit the same “holy grail” as the old one.

To make things more difficult, the positioning of these two systems in the network. In order to provide active responses to any malicious packets, IPS/content filtering/layer 7 firewalls (network based) usually will be emplaced in line with the network flow. For firewall (either network based or personal/host based), the best practice is to have a “default deny” policy where it will allows only selected traffics/transactions and denies the rest of them. Can IPS or any content filtering mechanism/device be implemented according to that kind of policy? Be my guest to answer this..

http://www.linuxfocus.org/English/May2003/article292.shtml

While as IDS is only providing the detection services, usually this device will be em placed at the network access points where it can monitors the network or network segments that suppose to be monitored, passively without interrupting the network flow. Even though the IDS is collecting every single bit of data and inspect those traffics right up to the application layer, it wont pose any problems or interruption to the network.

So does this mean we should start throwing our IPS out from our network? Does this mean that IPS is bad and IDS is good? No. It just means that substitution of these two do not improve your security posture at all. I also believe that these two must be seen as complementary of each other.

The best thing is to identify your monitoring zones, have your IPS filtering the allowed traffics into the network by the firewall, have your IDS then scrutinize the traffics filtered by the IPS and this traffic again will be filtered by the personal/host based/application level firewalls.

Anyway, that’s my view only and as usual I welcome any other opinions as well.

Comments RSS