Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: TippingPoint

  1. #11
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Currently I DO have an IDS that CAN control and shut down ports being attacked on vendor specific routers and firewalls. But I don't trust it to stop attacks against ports that are already open, at least in real time.
    You should really really really really avoid making your IDS active. There are two main ways that an IDS will 'stop' 'bad' activity. 1) It will send a spoofed RST in both directions to cause the connection between the attacker and the victim to drop and 2) Some IDS and firewalls use the OPSEC standard for communication between them. An IDS event can trigger a block being added to the firewall.

    Now, on to why, at least IMHO, both are BAD.

    1.1) Amplification of heavy traffic. This actually happened to us. When unicode directory traversal was first announced as a vulnerability on IIS web servers, a quicky solution to stopping someone from performing the attack was to have it send the resets to drop the connection. This worked fine....until nimda hit. We were getting well over 1 million hits a day
    for nimda and while our network would have dragged along with the initial traffic, the throwing out of resets in both directions provided an amplification factor for each packet of 3 (one packet in generates 2 packets out), and this ground our network to a halt until we could get the RST feature turned off.

    1.2) Sending RESET's will only work with a stateful protocol like TCP. It won't work for UDP.

    1.3) Sending RESET's may not stop a quick attack. I.e, if you can get the attack into one packet, by the time it is processed by the IDS and the RST makes it to both sides, the attack may have already run and completed and been successful.

    2.1) False Positives. One of the biggest problems with both major types of IDS software (anamoly based and signature based) are false positives (events that are triggered but shouldn't have been). If you have your IDS setup to push blocks to your firewall, you could start blocking things that weren't really attacks...

    2.2) Spoofing. If I know you are doing this and I don't like you, all I have to do is start sending your IDS spoofed packets claiming to originate with say, microsoft.com. I don't care if the session is established, the attack successful or anything else, that wasn't the goal. The goal was to trick your IDS into DoS'ng you...

    IMHO, an IDS should always remain strictly passive. If you are interested in doing content filtering, you should be using devices that were meant to do such things, like firewalls (checkpoint can do this some), routers (through QoS), or through proxy/caching servers (many proxy servers can also filter on content).

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    RoadClosed: Don't misunderstand me from this point on......

    Speaking as one who works in a non-profit, (read: no frigging cash.....), industry I am a cheap B@stard when it comes to stuff as you picked up in the thread you mentioned I'm sure....<LOL>

    $30k is a **** load of cash and, IME, it won't stop there..... Look at the recurring cost.... I'll bet it exceeds $5k and probably $10k. So your TCO for the first 5 years, (by which time it will be obsolete), is in the vicinity of $50-$80k.... Ouch.....

    Now, no-one is saying that it won't take time to learn the "less expensive" stuff but it sure will take less time than 5 years. Take PureSecure for example. To you, (a commercial shop by the sound of it), IIRC, it would cost you $1500 for the main sensor and $100 for each additional. But there's a real bonus in that alone: It runs Snort which you can tweak really easily to meet your needs, it contains both NIDS and HIDS that are centrally monitored and can alert the sysadmin immediately things look funny, it can be set to update the snort rules nightly.... Using Snort 2.0 they have fixed the Flexresp.... I still haven't played with it yet but you can react to incoming packets with that so technically it is somewhat defensive too......

    I dunno..... I don't see the benefit of this system over and above what anything else will provide with some work on your part especially bearing in mind the adage I live by: "It isn't a matter of if I get hacked.... It's when...." I believe it is our job to secure what we can but be more careful about recognizing the signs of a compromise, confirming it has taken place by having voluminous logs files and then mitigating the damage. It strikes me that this system's overwhelming feature is that of making you lazy..... "No time to scan the logs today.... no Prob.... that box is protecting me......... Ooops..... who changed the web site!!!!!"

    And finally here is your _real_ kicker..... There you are fat dumb and happy a year after installing this box..... Everything has gone swimmingly..... No compromises..... and less work.... But, as you gleefully noted, "this box is in-line"..... OK.... The box just failed....... You have no inbound or outbound connectivity..... Your whole system is down unless you remove the box.... But you have nothing to replace it with and you have no time to learn how to use all the free stuff until they come up with a new box...... Now there's my opportunity to make entry.... and you'll never even know.....

    Just my thoughts and I do understand if this is a "must secure it now" and management says "we don't have time for you to learn and test".......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Ditto to you all. Not really looking for a replacement, but a supplement. Another layer. It is way to expensive I agree. I am indeed a comercial shop but I didn't get where I am today, in the big driver seat, by WASTING money. I am with you. I am part of the Linux collective, I am no expert but I run 2 flavors or firewalls and I am downloading Red hat 9 now, just to play. I also run it on a laptop for various amusement tools. One is cracking the local wireless network one of my buddies implemented. I argued against it over beers one night and I am out to prove him wrong. In fun and good sport. But back to the topic at hand...

    Anything that you let sit and never check is going to cause a problem. I constantly tweak my IDS and Firewall. In fact the firewall is a point of failure as well. I am taking care of that with Radware, some DNS tricks, additional Firewalls and DSL connections (I should start another thread on that, www.radware.com). Thatís been on my radar for a while as well, it's to the point where I am buying it. So eventually when a "layer" fails I can still feel safe and go home and not get paged. That's a nice goal, put it up on your work plan, work out a way to minimize pages and maximize sleep. Sleep is good, how many times have I woke up at my computer desk at 2am?? I choose to block packets vs. letting them through. I operate a different type of business and that is my preferred way to handle a possible attack. I set the thresholds pretty high but when it hits a level = Shut it off, buy some down time and make sure. That's only really happened twice in 2 years, all for a total of one hour and they were false alarms but, I felt good about it. If I operated a web site, I would have a different tune.

    I am always looking for a little more of an "Edge" with technology. It's fun. Besides. I am in charge of making sure financial records are secure and complex systems remain operational. It's not a web site, just a business with a bunch of B2B stuff. I wear too many hats and can't do anything about it but get some good technology to help me. It's a juggle. I wish I had one hat. Oh and speaking of hats, don't flame me for Red Hat. it's just a personal thing. I downloaded the very first release in the beginning and I am emotionally attached to it. Even though they are going sort of a comercial route with it.

    The tipping point box is a toy at this point, a toy I canít justify unless it so utterly incredible the world explodes with people saying, this is the best of everything. (yaw right).

    Security is an intricate science and a melting pot of technologies.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #14
    Junior Member
    Join Date
    Jun 2003
    TippingPoint solution has the following going for it:
    1) Blocks attacks instead of TCP RST or Firewall Shun
    2) Eliminates false positives by writing Attack Filters to the Vulnerability not the exploit using specialized software and hardware.
    - Uses Agere Payload Plus OC-48c Network Processor (2.4 Gbps)
    - ASICs and Xilinx Vertex II FPGAs
    - 2 GHz + Pentium 4 Management processor
    This allows the box to look for uppercase, lowercase, hexcode, and unicode variants within the packet stream. The hardware can do anchored and unanchored searches, Regular Expression pattern matching, Layer 7 Application protocol decoders, IP Fragmentation, and TCP Reassembly. It can also perform statistics gathering and anomaly algorithms. All of this is instantiated in silicon, providing high accuracy at load while under attack.
    3) High performance and low latency achieved due to purpose built hardware. This type of performance (up to 2+ Gbps full duplex) and low latency (<215 microseconds) can NOT be achieved with a general purpose CPU running linux, BSD, etc...
    4) Consistent performance regardless of packet size (64 byte to jumbo frame) and packet type (ICMP, UDP, TCP, broadcast, multicast, etc...) Many solutions based on CPU/software have issues with latency and bursty UDP traffic. Since UDP is used for VoIP and streaming video this is NOT good.
    5) High Availability modes of "Non-stop Networking" and "Non-stop Security" are configurable on a per segment (port pair) basis for failover.
    6) No IP or MAC address on segments provides complete transparency on network. Ensuring that box can't be attacked on segments, and is impervious to IDS evasion techniques and tools (snot, stick, fragrouter, whisker, etc...)
    7) Ability to block Peer to Peer protocols bi-directionally or just stop outbound hosting from your IP address space.
    8) Bandwidth shaping/rate limiiting and Quality of Service based on layer 3-7 criteria.

    So, there is a reason for the cost. If you only have a T1 to the internet and only want to protect at the perimeter then you could take the time and expense (linux is not free when you include the time spent) to use open source tools. I use linux at home and work, but the hardware has its limitations. If I am only detecting then no worries, I can sit off a span and buffer packets until the processor can get to them. If I process a packet 1 second after it is seen on the wire, the alert is 1 second late (no big deal). However, if I am inline I need to process packets at network rates in real time. Routing and performing layer 3/4 filtering (Firewall) don't require as much processing as layer 7 deep packet inspection. I know about layer 7 filtering in linux: http://l7-filter.sourceforge.net/ , but keep in mind that blocking inline (IPS) at wire rate requires much different hardware than just detecting (IDS) off of a span/mirror port or tap.

    Lastly, IPS does not replace IDS, it augments it. By blocking known attacks it eliminates much of the alerts on the IDS, allowing the IDS to focus on Statistical Anomaly and Behavioral instead of just signatures. By reducing the load on IDS and Alert logs you will also more easily be able to interpret the IDS logs and the IDS will be more accurate.

    Security is a process not a product and there is no magic pill, but given that you already have a Firewall, IDS, and Anti-virus in place, the next logical step would be to add Network Based Intrusion Prevention.

    Hope this helps

  5. #15
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003


    I see that subject of this thread has made the News link on AO's main page today. It links to this article for further reading.

    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.