Wednesday, January 31, 2007

IPS algorithms...

Comments on "Outer limits on IPS article at Dark Reading"

http://www.darkreading.com/blog.asp?blog_sectionid=403&WT.svl=blogger1_3

The author makes some good points about the limitations of IPSes. However, IPSes are not as useless as he claims. IPSes today use a variety of methods to prevent attacks. Signatures are used to block known "bad stuff". It is true the attacker can change his "bad stuff" to evade existing signatures but eventually signatures get updated and the attack is limited if not completely stopped. Meanwhile, anomaly detection is used to counter the new attacks that don't have signatures yet. There are two types of anomaly detection (actually three if you include host behavioural anomaly detection): protocol anomaly detection and network behavioral anomaly detection. The first one works quite well in blocking worms because most worms spread via buffer overflows. Checking network traffic for "too long" protocol fields and for other things like "executable code" in data fields will block most current worms.The second technique behavioural anomaly detection is useful to detect port scans (too many failed connections), password guess attempts (too many failed login attempts) etc but many vendors are using it to detect things like high bandwidth usage etc which will have too many false positives as the author correctly points out.




Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

Friday, January 26, 2007

Social security numbers as authenticators...

It troubles me when I see that inspite of all the noise about identity theft, nothing is being done to fix the basic broken element in the system: the use of social security numbers and other personal information like mother's maiden name to authenticate people. SSNs may have served a purpose as an interim solution for authentication until a "real" solution was found but they don't scale well.
They are like "pre-shared key" based authentication (actually much worse). It is well understood that pre-shared keys are fine for small scale use like your home wireless network and even then it is recommended that they be changed periodically. The case with SSNs is much worse: the same key is used as an authenticator over a person's whole lifetime and everywhere the person needs to authenticate himself: banks, rental leases, loans, employers... And it cannot be changed!


Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

Wednesday, January 24, 2007

On Internal LAN security, switches and IPSes

I have heard some security researchers claim that since anti-virus (and anti-spyware and other anti-X software) software exists on hosts, the network just needs to make sure that it is working properly. That is indeed a core idea behind NAC (or NAP if you prefer) but as the more pragmatic security professionals will observe, security needs a layered approach. This is because no individual layer of security is foolproof; there is always a chance that it will fail. Consider for example, rootkit based spyware that can avoid detection by anti-X software on a host but a network based monitor (a specialty appliance or embedded in a switch, router, firewall or IPS) can detect it by looking at the network traffic from/to that host. Indeed rootkit based spyware and anti-X software evasion are expected to be dominant problems this year [ http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1238948,00.html?track=NL-494&ad=577800&Offer=SEbpd124&asrc=EM_UTC_938379&uid=5726676 ] Multiple layers reduce the chances of security failure because the probability that all of them will fail at the same time is low. Of course, adding layers increases the cost and complexity while making management difficult so we cannot have hundreds of them. But it is fairly easy to see that we need at least two layers: one in the network and one on the host. It would be a mistake however to assume that these two layers will have completely complementary, non-overlapping functionalities. Both will tend to use similar algorithmic techniques like pattern matching (aka signatures) for known malware, protocol anomaly detection and behavioral anomaly detection for unknown malware. They may differ in their set of patterns, protocols or behavior models and in platform specific implementation optimizations but for engineers building them they are essentially similar techniques. They may differ in their input sources e.g host based systems will scan memory and files whereas network based systems will scan network traffic. So my point is that we will see the role of the network in NAC get augmented with more IPS-like features. Firewall and IPS vendors will start getting traction in the internal network (they are mostly deployed at perimeter today) but will face new challenges unique to the internal network like higher performance requirements, need for integration with other intranet infrastructure (like switches, directory servers etc.) and a difference in the application landscape (like CIFS, CVS, J2EE etc which are mostly not seen as much in the perimeter). On the other hand switch vendors will start adding firewall and IPS-like features to their switches but face challenges developing switch architectures to allow the "programmability" and "deep processing" that is needed.

Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

Welcome to my blog !

Hello Readers,
I am an engineer who has been developing security products for about 7 years. In this blog I will write about information security from the point of view of an engineer who builds security products. I would love to hear your comments and opinion (especially from those who use these products) on my small essays.

Cheers,
Mohit