Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.



Similar documents
Passive Vulnerability Detection

CMPT 471 Networking II

Introduction of Intrusion Detection Systems

Chapter 11 Cloud Application Development

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection Systems

Firewalls. Chapter 3

SECURITY ADVISORY FROM PATTON ELECTRONICS

CTS2134 Introduction to Networking. Module Network Security

NETWORK SECURITY (W/LAB) Course Syllabus

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

How to complete the Secure Internet Site Declaration (SISD) form

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Firewalls, IDS and IPS

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

THE TOP 4 CONTROLS.

SANS Top 20 Critical Controls for Effective Cyber Defense

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Configuring Security for FTP Traffic

Basics of Internet Security

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

VULNERABILITY MANAGEMENT

Divide and Conquer Real World Distributed Port Scanning

Top tips for improved network security

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

A Decision Maker s Guide to Securing an IT Infrastructure

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Protecting Your Organisation from Targeted Cyber Intrusion

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Getting Ahead of Malware

An Overview of the Bro Intrusion Detection System

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Cyber Essentials. Test Specification

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Chapter 9 Firewalls and Intrusion Prevention Systems

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Secure Software Programming and Vulnerability Analysis

Cisco IPS Tuning Overview

Lecture 23: Firewalls

IDS and Penetration Testing Lab ISA 674

Firewall VPN Router. Quick Installation Guide M73-APO09-380

PCI-DSS Penetration Testing

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Enterprise-Grade Security from the Cloud

White Paper. Securing and Integrating File Transfers Over the Internet

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Network Instruments white paper

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Multi-Homing Dual WAN Firewall Router

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IBM. Vulnerability scanning and best practices

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Half Bridge mode }These options are all found under Misc Configuration

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Firewall Firewall August, 2003

Security threats and network. Software firewall. Hardware firewall. Firewalls

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Lesson 5: Network perimeter security

Firewalls. Network Security. Firewalls Defined. Firewalls

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

The Hillstone and Trend Micro Joint Solution

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Introduction to Computer Security Benoit Donnet Academic Year

Intrusion Detection in AlienVault

Network Security Monitoring

WHITE PAPER. Gaining Total Visibility for Lawful Interception

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Technology: Firewalls and VPNs

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Guideline on Firewall

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

How To Prevent Hacker Attacks With Network Behavior Analysis

How To Manage Web Content Management System (Wcm)

Guideline on Auditing and Log Management

Second-generation (GenII) honeypots

CSCE 465 Computer & Network Security

Internet Security Firewalls

UNMASKCONTENT: THE CASE STUDY

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Chapter 15. Firewalls, IDS and IPS

allow all such packets? While outgoing communications request information from a

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Transcription:

Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security Advisory IPS Discovery and Passive Reconnaissance

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. A number of Snort security rules attempt to identify a threat by looking for a single plain text string of characters across a broad range of IP protocols. This simple string of characters is the only condition required to trigger the rule and generate an alert. Using these passive reconnaissance techniques to determine the vendor or type of a security system in use could make further attacks against the network easier to accomplish. Traffic IQ Professional Security rule false positive assessment. Overview The text strings being sought by these rules are trivial to create and can be introduced into a network by various legitimate means including HTTP GET requests, Telnet and email messages. If a security device using these rules identifies the particular text strings within the crafted network traffic, a false positive alert will be generated but more importantly, the blocking of this traffic may now inadvertently reveal information such as the presence of a particular security system. 2 next page previous page

Traffic IQ Professional, with its extensive traffic library and advanced traffic transmission capabilities, makes it ideally suited to auditing and proving your security s ability to identify and mitigate threats and to validate the capabilities and configuration of packet filtering devices on your network, including application layer firewalls, routers and intrusion prevention systems. Used as part of your on-going network security assessment and enhancement procedures, Traffic IQ Professional will accurately audit and validate your defensive capabilities and enhance them by providing high quality security rules to maximise threat recognition and significantly lower the probability of attack penetration. Applying high quality security rules specifically developed to identify an attack against a vulnerability rather than identifying a specific instance of an attack, will enhance performance and decrease the number of rules required to be loaded by security devices. Understanding the configuration and capabilities of your defences, will enable you to enhance and accelerate performance and extending the life of your existing network security devices. The on-going assessment and enhancement of security defences is essential to limiting inappropriate packet ingress, maintaining the highest levels of network security and lowering risk to your organisation. How we can help 3

Threat Description Take a r look at the current Snort security rule with ID:1390. This rule simply looks for any IP traffic sent from external to internal that contains 24 of the uppercase character C. By requesting a web page from a remote web server and passing a fake parameter on the URL, it will usually be possible to determine if the Snort IPS system is running on the network. http://www.server.net/index? CCCCCCCCCCCCCCCCCCCCCCCC If your connection is reset or the web page is not displayed, yet it is displayed if you change the uppercase C s to lower case, then it is likely that an IPS system running Snort rules, is deployed on the network. The same type of passive reconnaissance can be performed using Telnet, FTP and even email messages. Correspond with someone via plain text email messages, to prove that your email can be received by the recipient, then email again or reply to a previous message, specifying 24 of the upper case character C somewhere in the body of the email message. Not receiving a reply or receiving a delivery failure notice, will be another indication that a Snort IPS (or variant), is running on the target network. Many such passive reconnaissance tests can be devised using simple text strings that can be legitimately introduce into a network by means of standard clear text protocols. Permitting your security defences to be fingered in this way, is likely to lead to further directed attacks, specifically tailored to evading your intrusion prevention systems. Threat A simple test with a web browser or email client could inadvertently dis to a hacker the vendor, or type of security system deployed, to protect your network. 4

idappcom recommends regular network security assessments, applying and validating high quality security rules, written to identify any attack against a vulnerability rather than just identifying a specific attack instance or variant. It is also recommended that poor quality plain text string rules are removed or enhanced to increase threat detection performance, lower false positive alerts and to limit the possibility of allowing IPS fingering or passive reconnaissance techniques to be affective. 5 References and Further Reading Product Examined Snort 2.9.1 Rule set 2910 Download http://www.snort.org/snort-downloads Some example Snort rules prone to false positive and remote triggering via legitimate means. SID:17340 SID:17325 SID:17338 SID:17339 SID:19286 SID:19287 SID:1390 SID:1394 Security Assessment and Enhancement Traffic IQ Professional, as part of your continual network security assessment and enhancement procedures, will ensure that your network security devices maintain the highest levels of threat identification and mitigation. Our high quality security rules will help you enhance the capabilities, accelerate the performance and extend the life of your existing network security devices. Remediation

Detailed white papers are available from our web site www.idappcom.com or by email request to client.services@idappcom.com idappcom limited Barham Court, Teston, Kent ME18 5BZ. UK t: +44 (0)203 355 6804 Toll Free USA: 1 888 433 8835 Freephone UK: 0800 680 0791 Worldwide: +1 321 985 1511 OR +44 203 355 6804 e: client.services@idappcom.com www.idappcom.com 6 SECADV 2012-005 (rev 2). ID1344

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information