Subject: RE: Checkpoint SmartDefense - msg#00058

Previous Message by Date: click to view message preview

Re: Vulnerability vs. Exploit signatures and IPS??

By looking for the characteristics of a vulnerability it is possible to detect all possible exploits that might try and utilize that vulnerability. Where as, looking for the signature of an exploit, leaves you vulnerable to new exploits utilizing the same vulnerability. A simple analogy to this is say you want to find a particular person in a crowd of people. You can either walk around with a picture of that person and hold it up next to everyone in the crowd (signature based detection) or you can find the person based on unique attributes about them (rule based detection, as I like to call it). Signature based detection is vulnerable to say the person wearing a hat, or glasses, or a beard. Rule based detection isn't, as it uses a set of unchangeable unique attributes that must exist for it to match on that person (I like to call these triggering conditions). Like the distance to the corner of each eye from their nose, or the shape and curve of the cheek bones. To better understand this difference lets take a real world example. Here is the bleedingsnort rule for the IIS PCT vulnerability (MS04-011) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SSL Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:to_server,established; classtype:web-application-attack; sid:2000559; rev:6;) If your not familiar with Snort this signature it essentially looks for the content of "THCOWNZIIS!" in any packet heading to port 443 on the network defined by $HOME_NET. The public exploit for this vulnerability contains "THCOWNZIIS!" which is probably why the bleedingsnort guys wrote this signature. Unfortunately this string isn't necessary for this exploit to work, so it could just as easily be "MATTOWNIIS", and the exploit would still function correctly. This means that the signature above is exploit specific and can be easily avoided (unless all you want to catch is this particular exploit). I think most people want to catch all exploits that attempt to exploit a particular vulnerability, which is why you need rules that catch the triggering conditions of the vulnerability (detect the vulnerability not the exploit). In my opinion, writing exploit-specific signatures brings very little value to the table, and also gives people a false sense of security, as any intelligent attacker will remove these types of strings from public exploits if they need to use them. Since I'm a vendor I'm not going to simply tout the Sourcefire solution, however, I will say the Sourcefire VRT strives to detect the vulnerability and not the exploit with every rule that we release. Ok so i touted a little. Cheers, Matthew Watchinski Director, Vulnerability Research Sourcefire, Inc. Jacob Winston wrote: Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------

Next Message by Date: click to view message preview

RE: Checkpoint SmartDefense

Hi Fergus, Regarding your SmartDefense questions, my experience on this CP feature recommends that: 1) in practice, it supplements the Application Intelligence FW-1 already has. For zero-day attacks, you can never be sure that a "skinny" IPS/IDS solution like SmartDefense will be enough. So far, it has performed pretty good considering the amount of money you spend for a single gateway (which make SmartDefense a MUST in FW-1 gateways). Spend some time and look for Web Intelligence though, a CP feature that does behavioral-based analysis - not single pattern matching. 2) SmartDefense is just what its name indicates: smart (not intelligent). The intelligence lies on the FW-1 itself. The combination though performs great (and fast!). You can be sure that Check Point will provide you with important updates in time. There are lots of people in CP HQ that deals with maintaining SmartDefense and publishing updates. 3) As every CP product or service, it is not that difficult to configure and maintain, considering that you know the IT environment very good (so that you do not have to mess with false positives). Spend some time in fine tuning as well. 4) SmartDefense comes as an annual service, so I do not see a reason why it should be different in Interspect. Never tested SmartDefense in Interspect myself. Regards, Dimitrios G. Patsos ΙΤ Security Consultant =================== SPACE HELLAS S.A. =================== Email dpat@xxxxxxxx -----Original Message----- From: Fergus Brooks [mailto:fergwa@xxxxxxxxx] Sent: Wednesday, May 18, 2005 2:10 PM To: focus-ids@xxxxxxxxxxxxxxxxx Subject: Checkpoint SmartDefense Hi all, I am getting some mixed messages regarding this feature. 1) Does it detect zero day attacks in real time and recommend/implement remediation 2) How intelligent is it? 3) Is it difficult to configure & maintain? 4) Is this feature different on the Interspect and standard FW-1 boxes Any comments and real world examples greatly appreciated! Thanks & regards. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------

Previous Message by Thread: click to view message preview

RE: Checkpoint SmartDefense

> From: Fergus Brooks [mailto:fergwa@xxxxxxxxx] > Sent: Wednesday, May 18, 2005 2:10 PM > .... > > I am getting some mixed messages regarding this feature. > > 1) Does it detect zero day attacks in real time and > recommend/implement remediation As my expertise is web applications security, I can comment only on the web (port 80/443) functionality of SmartDefence (as well as WebIntelligence, its younger sibling). SmartDefence may provide better value for other protocols. Zero day attack detection is a tricky business. Behind the marketing brochures, SmartDefence and WebInteligence are mostly misuse based (i.e. signature based) and therefore are not well adjusted to zero day protection. I personally feel that the signatures are also on the weak side for attacks such as SQL injection or XSS, especially since tighter security (that is more signatures) is usually not practical, as discussed below. > > 2) How intelligent is it? > The one feature that seems to be more intelligent is detecting of binary code in input. It also seems like the one that has potential to detect zero day attacks for buffer overflows. I don't have personal experience with this one (always off). Any input is welcomed. > 3) Is it difficult to configure & maintain? > It is actually too easy to maintain. It has very "buzzword" centric configuration (block "XSS", block "SQL injection" - no finer configuration). As configuration being is on the rough side I think that in real world situation many of the protections have to be either off or on low (options are usually: off, low, medium and high). For example, medium security for SQL injection includes detecting words such as select or join - both impractical in real world. Lack of fine grained configuration is not limited to signatures, it is also true for applications - the security level for each category is determined on a site level, so if you have an free text field that is prone to include the word "select" you cannot exclude it but rather have to lower security for the entire site. > 4) Is this feature different on the Interspect and standard FW-1 boxes > > > Any comments and real world examples greatly appreciated! > > Thanks & regards. > Bottom line - if web security is your concern this is hardly the way to protect your site. It may be better for other protocols. I would go for mod_security, which provides much better configurability for a much lower price, or a full blown application firewall which provides much more security. ~ Ofer Ofer Shezaf CTO, Breach Security Phone (US): +1 (760) 268.1924 ext. 702 Phone (Israel): +972 (9) 956.0036 ext.212 Cell: +972 (54) 443.1119 ofers@xxxxxxxxxx http://www.breach.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------

Next Message by Thread: click to view message preview

RE: Checkpoint SmartDefense

Another option that can be used instead of the default SQL injection protection is the "worm catcher" - you can write pretty good regular expressions here that are much more granular than the SQL Injection checks. Just keep in mind - I would never *ever* enable the worm catcher for "all traffic" - I would apply it to defined servers - otherwise - in large environments that serve a lot of HTTP traffic, it can and will bring your firewall to it's knees. Chuck "Spence" Fasching Senior Systems Engineer 952.767.5111 - Office 612.616.5080 - Mobile Milestone Systems charles.fasching@xxxxxxxxxxxxxxxxxxxx -----Original Message----- From: Ofer.Shezaf [mailto:Ofer.Shezaf@xxxxxxxxxx] Sent: Thursday, May 19, 2005 6:13 PM To: ferg; focus-ids Subject: RE: Checkpoint SmartDefense > From: Fergus Brooks [mailto:fergwa@xxxxxxxxx] > Sent: Wednesday, May 18, 2005 2:10 PM > .... > > I am getting some mixed messages regarding this feature. > > 1) Does it detect zero day attacks in real time and > recommend/implement remediation As my expertise is web applications security, I can comment only on the web (port 80/443) functionality of SmartDefence (as well as WebIntelligence, its younger sibling). SmartDefence may provide better value for other protocols. Zero day attack detection is a tricky business. Behind the marketing brochures, SmartDefence and WebInteligence are mostly misuse based (i.e. signature based) and therefore are not well adjusted to zero day protection. I personally feel that the signatures are also on the weak side for attacks such as SQL injection or XSS, especially since tighter security (that is more signatures) is usually not practical, as discussed below. > > 2) How intelligent is it? > The one feature that seems to be more intelligent is detecting of binary code in input. It also seems like the one that has potential to detect zero day attacks for buffer overflows. I don't have personal experience with this one (always off). Any input is welcomed. > 3) Is it difficult to configure & maintain? > It is actually too easy to maintain. It has very "buzzword" centric configuration (block "XSS", block "SQL injection" - no finer configuration). As configuration being is on the rough side I think that in real world situation many of the protections have to be either off or on low (options are usually: off, low, medium and high). For example, medium security for SQL injection includes detecting words such as select or join - both impractical in real world. Lack of fine grained configuration is not limited to signatures, it is also true for applications - the security level for each category is determined on a site level, so if you have an free text field that is prone to include the word "select" you cannot exclude it but rather have to lower security for the entire site. > 4) Is this feature different on the Interspect and standard FW-1 boxes > > > Any comments and real world examples greatly appreciated! > > Thanks & regards. > Bottom line - if web security is your concern this is hardly the way to protect your site. It may be better for other protocols. I would go for mod_security, which provides much better configurability for a much lower price, or a full blown application firewall which provides much more security. ~ Ofer Ofer Shezaf CTO, Breach Security Phone (US): +1 (760) 268.1924 ext. 702 Phone (Israel): +972 (9) 956.0036 ext.212 Cell: +972 (54) 443.1119 ofers@xxxxxxxxxx http://www.breach.com ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------