[<prev] [next>] [day] [month] [year] [list]
Message-Id: <8D478647-1181-4678-B7FB-EE872BF627E9@sekure.org>
Date: Wed, 2 Jun 2010 11:07:40 -0300
From: Nelson Brito <nbrito@...ure.org>
To: Cor Rosielle <cor@...post24.com>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>,
Srinivas Naik <naik.srinu@...il.com>
Subject: Re: Full-disclosure] Why the IPS product designers
It always depends on decisions and always follows an 1:1 basis.
Whether someone tries to sell you a single solution, it means:
1. He/She doesn't have a complete understanding of your problem;
2. He/She doesn't care what kind of threat you have or will have in a
future;
3. He/She only has one single solution to ptotect you.
But, IMHO, this a "blind" discussion: trying to figure out the reason
someone drives you a single or multiple solution... And... You know
what? Whatever the reason is, it doesn't matter at all!!! What really
matters is the misunderstood peolpe have about how to protect
themselves!!!
I don't think that's the point here. The point here is understand the
approaches to protect a real world envinronment, and I keep saying:
you MUST deploy something in your host when you deploy something in
your network. And here is the reason:
- If you protect your network with CLIENT-SIDE threats in mind you
MUST deploy a CLIENT-SIDE protection layer, otherwise you will fail.
That's logical decision. Because, as I said before, it is not 1990
anymore, and there are no borders either... So if you think you are
protecting you users by adopting a network solution only, what is
gonna happen when they travel out of you "Borders"?
For those who believe Host vs. Network is all about budget... Well, It
shouldn't be, because threats don't care about this, because they want
to get you!
That's is my personal feeling, and, BTW, it is based on my experience...
Anyone that says you COULD deploy a host solution with a network
solution doesn't really know the problems you have... Or he/she just
ignore the actual threats.
I'm not selling anything here, except for the educational discussion.
And I should warn people that there is no miracle solution for all the
problems... So, IMHO, you MUST deploy host and network together (I
love to say this 8)...
Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/
Please, help me to develop the ENG® SQL Fingerprint™ downloading it
from Google Code (http://code.google.com/p/mssqlfp/) or from
Sourceforge (https://sourceforge.net/projects/mssqlfp/).
Sent on an iPhone wireless device. Please, forgive any potential
misspellings!
On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor@...post24.com> wrote:
> I would say: an host IPS could be considered, even if there is a
> network
> IPS. If it is a wise decision to spent your money or use your
> hardware for
> this, depends from case to case. And I might even add: if someone
> tells you
> different, he must be selling something.
>
> Regards,
> Cor
>
>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Srinivas Naik
>> Sent: dinsdag 1 juni 2010 21:14
>> To: full-disclosure@...ts.grok.org.uk
>> Subject: [Full-disclosure] Full-disclosure] Why the IPS product
>> designers
>>
>> Mr. Nelson has brought a good point, Host IPS should also be running
>> even if
>> there is Nework IPS.
>>
>> There are Client end Attacks which has got many Evasion techniques
>> and
>> almost the recent research presents us the proof of such Attacks.
>> Apart these there exist other exploits/malware which cannot be
>> detected
>> over
>> the network.
>>
>> Regards,
>> Srinivas Naik (Certified Hacker and Forensic Investigator)
>> IPS Evaluator
>> http://groups.google.com/group/nforceit
>>
>> On Tue, Jun 1, 2010 at 9:16 PM,
>> <full-disclosure-request@...ts.grok.org.uk>wrote:
>>
>>> Send Full-Disclosure mailing list submissions to
>>> full-disclosure@...ts.grok.org.uk
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> https://lists.grok.org.uk/mailman/listinfo/full-disclosure
>>> or, via email, send a message with subject or body 'help' to
>>> full-disclosure-request@...ts.grok.org.uk
>>>
>>> You can reach the person managing the list at
>>> full-disclosure-owner@...ts.grok.org.uk
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Full-Disclosure digest..."
>>>
>>>
>>> Note to digest recipients - when replying to digest posts, please
>> trim your
>>> post appropriately. Thank you.
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (Nelson
>> Brito)
>>> 2. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection
>>> (Valdis.Kletnieks@...edu)
>>> 3. DoS vulnerability in Internet Explorer (MustLive)
>>> 4. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (rajendra
>> prasad)
>>> 5. Re: Why the IPS product designers concentrate on server
>> side
>>> protection? why they are missing client protection (Cor
>> Rosielle)
>>> 6. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (Nelson
>> Brito)
>>> 7. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (Nelson
>> Brito)
>>> 8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>> 9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>> 10. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (Cor
>> Rosielle)
>>> 11. Re: DoS vulnerability in Internet Explorer (PsychoBilly)
>>> 12. Re: Why the IPS product designers concentrate on server side
>>> protection? why they are missing client protection (Nelson
>> Brito)
>>> 13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP
>>> Penetration Testing framework (Onapsis Research Labs)
>>> 14. Re: The_UT is repenting (T Biehn)
>>>
>>>
>>> ---
>>> ------------------------------------------------------------------
>> -
>>>
>>> Message: 1
>>> Date: Tue, 1 Jun 2010 08:50:05 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>> concentrate on server side protection? why they are missing
>> client
>>> protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>> <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B@...ure.org>
>>> Content-Type: text/plain; charset=utf-8; format=flowed;
>> delsp=yes
>>>
>>> You're missing one point: Host IPS MUST be deployed with any Network
>>> Security (Firewalls os NIPSs).
>>>
>>> No security solution/technology is the miracle protection alone, so
>>> that's the reason everybody is talking about defense in depth.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 4:38 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plain text. Embedding all
>>>> the client encryption/decryption process on the fly is not
>> possible,
>>>> even though ips gathered key values of clients.Most of the client
>>>> protection is done by anti-virus. So, concentrating client attacks
>>>> at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Tue, 01 Jun 2010 08:34:22 -0400
>>> From: Valdis.Kletnieks@...edu
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>> concentrate on server side protection? why they are missing
>> client
>>> protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <14206.1275395662@...alhost>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:
>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult.
>>>
>>> All of that is total wanking. The *real* reason why IPS product
>> designers
>>> concentrate on servers is because hopefully the server end is run by
>> some
>>> experienced people with a clue, and maybe even hardened to last more
>> than
>>> 35 seconds when a hacker attacks. Meanwhile, if anybody designed an
>> IPS
>>> for
>>> the client end, it would just get installed on an end-user PC
>>> running
>>> Windows,
>>> where it will have all the issues and work just as well as any other
>>> anti-malware software on an end-user PC.
>>>
>>> Oh - and there's also the little detail that a site is more likely
>>> to
>> buy
>>> *one* software license to run on their web server (or whatever),
>> rather
>>> than
>>> the hassle of buying and administering 10,000 end-user licenses.
>>> Especially
>>> when an IPS on the client end doesn't actually tell you much about
>> attacks
>>> against the valuable target (the server) from machines you haven't
>>> installed
>>> the end-user IPS on (like the entire rest of the Internet).
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: not available
>>> Type: application/pgp-signature
>>> Size: 227 bytes
>>> Desc: not available
>>> Url :
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0896c76b/attachment-0001.bin
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Tue, 1 Jun 2010 15:42:58 +0300
>>> From: "MustLive" <mustlive@...security.com.ua>
>>> Subject: [Full-disclosure] DoS vulnerability in Internet Explorer
>>> To: <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <005e01cb0188$162059b0$010000c0@ml>
>>> Content-Type: text/plain; format=flowed; charset="windows-1251";
>>> reply-type=response
>>>
>>> Hello Full-Disclosure!
>>>
>>> I want to warn you about Denial of Service vulnerability in Internet
>>> Explorer. Which I already disclosed at my site in 2008 (at
>> 29.09.2008). But
>>> recently I made new tests concerning this vulnerability, so I
>>> decided
>> to
>>> remind you about it.
>>>
>>> I know this vulnerability for a long time - it's well-known DoS in
>> IE. It
>>> works in IE6 and after release of IE7 I hoped that Microsoft fixed
>> this
>>> hole
>>> in seventh version of the browser. But as I tested at 29.09.2008,
>>> IE7
>> was
>>> also vulnerable to this attack. And as I tested recently, IE8 is
>>> also
>>> vulnerable to this attack.
>>>
>>> Also I informed Microsoft at 01.10.2008 about it, but they ignored
>> and
>>> didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor
>> in IE8.
>>>
>>> That time I published about this vulnerability at SecurityVulns
>>> (http://securityvulns.com/Udocument636.html).
>>>
>>> DoS:
>>>
>>> Vulnerability concerned with handling by browser of expression in
>> styles,
>>> which leads to blocking of work of IE.
>>>
>>> http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
>>>
>>> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),
>>> Internet
>>> Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385)
>>> and
>>> previous versions.
>>>
>>> To Susan Bradley from Bugtraq:
>>>
>>> This is one of those cases, which I told you before, when browser
>> vendors
>>> ignore to fix DoS holes in their browsers for many years.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 4
>>> Date: Tue, 1 Jun 2010 18:28:03 +0530
>>> From: rajendra prasad <rajendra.palnaty@...il.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>> concentrate on server side protection? why they are missing
>> client
>>> protection
>>> To: full-disclosure@...ts.grok.org.uk
>>> Message-ID:
>>> <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp@...l.gmail.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi List,
>>>
>>> I have started this discussion with respect to Network IPS.
>>>
>>> Thanks
>>> Rajendra
>>>
>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad
>>> <rajendra.palnaty@...il.com>wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult. Even though buffered, client data may not be
>> in the
>>>> plain text. Embedding all the client encryption/decryption process
>> on the
>>>> fly is not possible, even though ips gathered key values of
>> clients.Most
>>> of
>>>> the client protection is done by anti-virus. So, concentrating
>> client
>>>> attacks at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0cb18940/attachment-0001.html
>>>
>>> ------------------------------
>>>
>>> Message: 5
>>> Date: Tue, 1 Jun 2010 14:52:51 +0200
>>> From: "Cor Rosielle" <cor@...post24.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>> concentrate on server side protection? why they are
>> missing
>>> client
>>> protection
>>> To: "'Nelson Brito'" <nbrito@...ure.org>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <003001cb0189$5962ddf0$0c2899d0$@com>
>>> Content-Type: text/plain; charset="UTF-8"
>>>
>>> Nelson,
>>>
>>>> You're missing one point: Host IPS MUST be deployed with any
>> Network
>>>> Security (Firewalls os NIPSs).
>>> Please be aware this is a risk decision and not a fact. I don't use
>> an host
>>> IPS and no anti Virus either. Still I'm sure my laptop is perfectly
>> safe.
>>> This is because I do critical thinking about security measures and
>> don't
>>> copy behavior of others (who often don't think for themselves and
>> just
>>> copies other peoples behavior). Please note I'm not saying you're
>>> not
>>> thinking. If you did some critical thinking and an host IPS is a
>>> good
>>> solution for you, then that's OK> It just doesn't mean it is a good
>> solution
>>> for everybody else and everybody MUST deploy an host IPS.
>>>
>>>> No security solution/technology is the miracle protection alone,
>>> That's true.
>>>
>>>> so that's the reason everybody is talking about defense in depth.
>>> Defense in depth is often used for another line of a similar defense
>>> mechanism as the previous already was. Different layers of defense
>> works
>>> best if the defense mechanism differ. So if you're using anti virus
>> software
>>> (which gives you an authentication control and an alarm control
>> according to
>>> the OSSTMM), then an host IDS is not the best additional security
>> measure
>>> (because this also gives you an authentication and an alarm
>>> control).
>>> This would also be a risk decision, but based on facts and the rules
>>> defined in the OSSTMM and not based on some marketing material. You
>> should
>>> give it a try.
>>>
>>> Regards,
>>> Cor Rosielle
>>>
>>> w: www.lab106.com
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 6
>>> Date: Tue, 1 Jun 2010 10:27:48 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>> concentrate on server side protection? why they are missing
>> client
>>> protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>> <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4@...ure.org>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Okay, but why did you mention AV as a client-side protection?
>>>
>>> It leads to a discussion about client-side protection, anyways.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 9:58 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I have started this discussion with respect to Network IPS.
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <
>>> rajendra.palnaty@...il.com
>>>>> wrote:
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plai
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists