lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <8D478647-1181-4678-B7FB-EE872BF627E9@sekure.org>
Date: Wed, 2 Jun 2010 11:07:40 -0300
From: Nelson Brito <nbrito@...ure.org>
To: Cor Rosielle <cor@...post24.com>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>,
	Srinivas Naik <naik.srinu@...il.com>
Subject: Re: Full-disclosure] Why the IPS product designers

It always depends on decisions and always follows an 1:1 basis.

Whether someone tries to sell you a single solution, it means:
1. He/She doesn't have a complete understanding of your problem;
2. He/She doesn't care what kind of threat you have or will have in a  
future;
3. He/She only has one single solution to ptotect you.

But, IMHO, this a "blind" discussion: trying to figure out the reason  
someone drives you a single or multiple solution... And... You know  
what? Whatever the reason is, it doesn't matter at all!!! What really  
matters is the misunderstood peolpe have about how to protect  
themselves!!!

I don't think that's the point here. The point here is understand the  
approaches to protect a real world envinronment, and I keep saying:  
you MUST deploy something in your host when you deploy something in  
your network. And here is the reason:
- If you protect your network with CLIENT-SIDE threats in mind you  
MUST deploy a CLIENT-SIDE protection layer, otherwise you will fail.  
That's logical decision. Because, as I said before, it is not 1990  
anymore, and there are no borders either... So if you think you are  
protecting you users by adopting a network solution only, what is  
gonna happen when they travel out of you "Borders"?

For those who believe Host vs. Network is all about budget... Well, It  
shouldn't be, because threats don't care about this, because they want  
to get you!

That's is my personal feeling, and, BTW, it is based on my experience...

Anyone that says you COULD deploy a host solution with a network  
solution doesn't really know the problems you have... Or he/she just  
ignore the actual threats.

I'm not selling anything here, except for the educational discussion.  
And I should warn people that there is no miracle solution for all the  
problems... So, IMHO, you MUST deploy host and network together (I  
love to say this 8)...

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor@...post24.com> wrote:

> I would say: an host IPS could be considered, even if there is a  
> network
> IPS. If it is a wise decision to spent your money or use your  
> hardware for
> this, depends from case to case. And I might even add: if someone  
> tells you
> different, he must be selling something.
>
> Regards,
> Cor
>
>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Srinivas Naik
>> Sent: dinsdag 1 juni 2010 21:14
>> To: full-disclosure@...ts.grok.org.uk
>> Subject: [Full-disclosure] Full-disclosure] Why the IPS product
>> designers
>>
>> Mr. Nelson has brought a good point, Host IPS should also be running
>> even if
>> there is Nework IPS.
>>
>> There are Client end Attacks which has got many Evasion techniques  
>> and
>> almost the recent research presents us the proof of such Attacks.
>> Apart these there exist other exploits/malware which cannot be  
>> detected
>> over
>> the network.
>>
>> Regards,
>> Srinivas Naik (Certified Hacker and Forensic Investigator)
>> IPS Evaluator
>> http://groups.google.com/group/nforceit
>>
>> On Tue, Jun 1, 2010 at 9:16 PM,
>> <full-disclosure-request@...ts.grok.org.uk>wrote:
>>
>>> Send Full-Disclosure mailing list submissions to
>>>     full-disclosure@...ts.grok.org.uk
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>     https://lists.grok.org.uk/mailman/listinfo/full-disclosure
>>> or, via email, send a message with subject or body 'help' to
>>>     full-disclosure-request@...ts.grok.org.uk
>>>
>>> You can reach the person managing the list at
>>>     full-disclosure-owner@...ts.grok.org.uk
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Full-Disclosure digest..."
>>>
>>>
>>> Note to digest recipients - when replying to digest posts, please
>> trim your
>>> post appropriately. Thank you.
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (Nelson
>> Brito)
>>> 2. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection
>>>   (Valdis.Kletnieks@...edu)
>>> 3. DoS vulnerability in Internet Explorer (MustLive)
>>> 4. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (rajendra
>> prasad)
>>> 5. Re: Why the IPS product designers concentrate     on      server
>> side
>>>   protection? why they are missing client protection (Cor
>> Rosielle)
>>> 6. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (Nelson
>> Brito)
>>> 7. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (Nelson
>> Brito)
>>> 8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>> 9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>> 10. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (Cor
>> Rosielle)
>>> 11. Re: DoS vulnerability in Internet Explorer (PsychoBilly)
>>> 12. Re: Why the IPS product designers concentrate on  server side
>>>   protection? why they are missing client protection (Nelson
>> Brito)
>>> 13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP
>>>   Penetration Testing framework (Onapsis Research Labs)
>>> 14. Re: The_UT is repenting (T Biehn)
>>>
>>>
>>> --- 
>>> ------------------------------------------------------------------
>> -
>>>
>>> Message: 1
>>> Date: Tue, 1 Jun 2010 08:50:05 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>     concentrate on  server side protection? why they are missing
>> client
>>>     protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>>     <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B@...ure.org>
>>> Content-Type: text/plain;       charset=utf-8;  format=flowed;
>> delsp=yes
>>>
>>> You're missing one point: Host IPS MUST be deployed with any Network
>>> Security (Firewalls os NIPSs).
>>>
>>> No security solution/technology is the miracle protection alone, so
>>> that's the reason everybody is talking about defense in depth.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 4:38 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plain text. Embedding all
>>>> the client encryption/decryption process on the fly is not
>> possible,
>>>> even though ips gathered key values of clients.Most of the client
>>>> protection is done by anti-virus. So, concentrating client attacks
>>>> at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Tue, 01 Jun 2010 08:34:22 -0400
>>> From: Valdis.Kletnieks@...edu
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>     concentrate on  server side protection? why they are missing
>> client
>>>     protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <14206.1275395662@...alhost>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:
>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult.
>>>
>>> All of that is total wanking.  The *real* reason why IPS product
>> designers
>>> concentrate on servers is because hopefully the server end is run by
>> some
>>> experienced people with a clue, and maybe even hardened to last more
>> than
>>> 35 seconds when a hacker attacks.  Meanwhile, if anybody designed an
>> IPS
>>> for
>>> the client end, it would just get installed on an end-user PC  
>>> running
>>> Windows,
>>> where it will have all the issues and work just as well as any other
>>> anti-malware software on an end-user PC.
>>>
>>> Oh - and there's also the little detail that a site is more likely  
>>> to
>> buy
>>> *one* software license to run on their web server (or whatever),
>> rather
>>> than
>>> the hassle of buying and administering 10,000 end-user licenses.
>>> Especially
>>> when an IPS on the client end doesn't actually tell you much about
>> attacks
>>> against the valuable target (the server) from machines you haven't
>>> installed
>>> the end-user IPS on (like the entire rest of the Internet).
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: not available
>>> Type: application/pgp-signature
>>> Size: 227 bytes
>>> Desc: not available
>>> Url :
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0896c76b/attachment-0001.bin
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Tue, 1 Jun 2010 15:42:58 +0300
>>> From: "MustLive" <mustlive@...security.com.ua>
>>> Subject: [Full-disclosure] DoS vulnerability in Internet Explorer
>>> To: <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <005e01cb0188$162059b0$010000c0@ml>
>>> Content-Type: text/plain; format=flowed; charset="windows-1251";
>>>     reply-type=response
>>>
>>> Hello Full-Disclosure!
>>>
>>> I want to warn you about Denial of Service vulnerability in Internet
>>> Explorer. Which I already disclosed at my site in 2008 (at
>> 29.09.2008). But
>>> recently I made new tests concerning this vulnerability, so I  
>>> decided
>> to
>>> remind you about it.
>>>
>>> I know this vulnerability for a long time - it's well-known DoS in
>> IE. It
>>> works in IE6 and after release of IE7 I hoped that Microsoft fixed
>> this
>>> hole
>>> in seventh version of the browser. But as I tested at 29.09.2008,  
>>> IE7
>> was
>>> also vulnerable to this attack. And as I tested recently, IE8 is  
>>> also
>>> vulnerable to this attack.
>>>
>>> Also I informed Microsoft at 01.10.2008 about it, but they ignored
>> and
>>> didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor
>> in IE8.
>>>
>>> That time I published about this vulnerability at SecurityVulns
>>> (http://securityvulns.com/Udocument636.html).
>>>
>>> DoS:
>>>
>>> Vulnerability concerned with handling by browser of expression in
>> styles,
>>> which leads to blocking of work of IE.
>>>
>>> http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
>>>
>>> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),  
>>> Internet
>>> Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385)  
>>> and
>>> previous versions.
>>>
>>> To Susan Bradley from Bugtraq:
>>>
>>> This is one of those cases, which I told you before, when browser
>> vendors
>>> ignore to fix DoS holes in their browsers for many years.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 4
>>> Date: Tue, 1 Jun 2010 18:28:03 +0530
>>> From: rajendra prasad <rajendra.palnaty@...il.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>     concentrate on  server side protection? why they are missing
>> client
>>>     protection
>>> To: full-disclosure@...ts.grok.org.uk
>>> Message-ID:
>>>     <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp@...l.gmail.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi List,
>>>
>>> I have started this discussion with respect to Network IPS.
>>>
>>> Thanks
>>> Rajendra
>>>
>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad
>>> <rajendra.palnaty@...il.com>wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult. Even though buffered, client data may not be
>> in the
>>>> plain text. Embedding all the client encryption/decryption process
>> on the
>>>> fly is not possible, even though ips gathered key values of
>> clients.Most
>>> of
>>>> the client protection is done by anti-virus. So, concentrating
>> client
>>>> attacks at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0cb18940/attachment-0001.html
>>>
>>> ------------------------------
>>>
>>> Message: 5
>>> Date: Tue, 1 Jun 2010 14:52:51 +0200
>>> From: "Cor Rosielle" <cor@...post24.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>     concentrate     on      server side protection? why they are
>> missing
>>> client
>>>     protection
>>> To: "'Nelson Brito'" <nbrito@...ure.org>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <003001cb0189$5962ddf0$0c2899d0$@com>
>>> Content-Type: text/plain;       charset="UTF-8"
>>>
>>> Nelson,
>>>
>>>> You're missing one point: Host IPS MUST be deployed with any
>> Network
>>>> Security (Firewalls os NIPSs).
>>> Please be aware this is a risk decision and not a fact. I don't use
>> an host
>>> IPS and no anti Virus either. Still I'm sure my laptop is perfectly
>> safe.
>>> This is because I do critical thinking about security measures and
>> don't
>>> copy behavior of others (who often don't think for themselves and
>> just
>>> copies other peoples behavior). Please note I'm not saying you're  
>>> not
>>> thinking. If you did some critical thinking and an host IPS is a  
>>> good
>>> solution for you, then that's OK> It just doesn't mean it is a good
>> solution
>>> for everybody else and everybody MUST deploy an host IPS.
>>>
>>>> No security solution/technology is the miracle protection alone,
>>> That's true.
>>>
>>>> so that's the reason everybody is talking about defense in depth.
>>> Defense in depth is often used for another line of a similar defense
>>> mechanism as the previous already was. Different layers of defense
>> works
>>> best if the defense mechanism differ. So if you're using anti virus
>> software
>>> (which gives you an authentication control and an alarm control
>> according to
>>> the OSSTMM), then an host IDS is not the best additional security
>> measure
>>> (because this also gives you an authentication and an alarm  
>>> control).
>>> This would also be a risk decision, but based on facts and the rules
>>> defined in the OSSTMM and not based on some marketing material. You
>> should
>>> give it a try.
>>>
>>> Regards,
>>> Cor Rosielle
>>>
>>> w: www.lab106.com
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 6
>>> Date: Tue, 1 Jun 2010 10:27:48 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>     concentrate on  server side protection? why they are missing
>> client
>>>     protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>>     <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4@...ure.org>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Okay, but why did you mention AV as a client-side protection?
>>>
>>> It leads to a discussion about client-side protection, anyways.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 9:58 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I have started this discussion with respect to Network IPS.
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <
>>> rajendra.palnaty@...il.com
>>>>> wrote:
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ