The Art of Protecting from the Unknown

There have been discussions within the security community lately about the concept of protecting an information asset against unknown attacks. Recently, there have been numerous products springing up making this claim. I would like to discuss three of the techniques promoted by various vendors that make this concept both possible and workable -- though often in a limited manner.

"I Can See the Future"

Wouldn't we all love to make this claim? The ability to adequately know what is around the next corner is high on my desired super power list. Unfortunately, this is the real world, and nobody can see the future. Adequate estimates made from current data are possible and sometimes very helpful. Analyzing current and past trends allows us a degree of success in forecasting the future. This concept is used to try to pick investments, gamble on horses, and predict tomorrow's weather. This technique is also used by "Early Warning Systems" that offer advanced notification of threats based on whatever process they deem to be accurate.

Using this type of "crystal ball" technique, we have been able to notice and respond to some events as they are happening, or shortly before they are anticipated to happen. This offers a limited degree of awareness, but often requires a precise view of very specific data. General predictions often fall short, and typically, the further you attempt to forecast into the future, the more "hazy" things can seem.

In more technical terms, this concept relies on a bunch of distributed IDS sensors on a large network topology in an attempt to get a gestalt view of attacks. Utilizing the historical data, and analyzing this data can yield predictions on new attacks or rates of spread within that network topology.

Just as with stocks, horses, and the weather, actually making an accurate prediction based on historical and analytical data can be just as probable as leaving Vegas with a positive cash flow. From a systems security standpoint, relying on this methodology to guard against the unknown is extremely dangerous.


"The Fall Guy"

This approach utilizes the fact that having a stand-in take the fall for you is often preferable to you taking a fall yourself. This concept shows up in the real world by the use of stunt men in the entertainment industry and by bodyguards in the physical security realm. The basis of this technique involves having someone act as a proxy or decoy for you with the understanding that they will be hit by an attack and not you. The piece in front gets hit (and potentially damaged) while allowing your infrastructure to continue to operate, sometimes at reduced capacity. This is often the case used in many of the proxy-type software applications that are available to protect your assets.

By acting as an intermediary between the asset you are protecting and a potential attacker, you can add complexity and more points of failure to the equation. In some ways you may be lowering your attack profile, but you are also opening yourself up to other, different types of attacks. Sadly, due to the cost of these types of solutions, the defensive proxy is often called upon to protect numerous assets like web servers. As a result, a directed attack against the defensive proxy will result in a much larger loss than if the solution wasn't there at all!

This is based primarily on an application, which, as a proxy, sits in front of a web farm. There are several products in this vein, but the concept boils down to a decoy system, where the protector seems as it is the original protectee to any attackers. The core problem here is that after the decoy takes the attack and potentially fails, your information is no longer available. Network topology decisions place these solutions at "choke points" on your network to funnel all traffic through them. When that choke point fails, the network is basically cut off.


"You Should Know Better"

The final technique is the one we developed for use within our SecureIIS product. It revolves around the concept of forcing an application to think more about the type of information that it will consider legitimate. By residing within an application, as an ISAPI filter, SecureIIS wraps around the application and provides protection at the most crucial layer by monitoring all incoming and outgoing traffic as it passes through from the network to the kernel layer thus enabling the application (IIS) to change the way that it "thinks" about its inputted data and avoid being compromised.

What we have termed the "You Should Know Better" approach is the process of "teaching" an application how to protect itself. This technique is the cornerstone of a true application firewall. This method, like none other found, is the most thorough in its testing and painless in terms of implementation. All inputted information must be considered as hostile and not passed on to the host application until it has passed stringent checks for sanity and safety.

SecureIIS advances the "You Should Know Better" approach by looking for unique classes of attacks. It uses multiple security filters to inspect web server traffic for such issues as buffer overflows, parser evasions, directory traversal and other attacks. Therefore, SecureIIS is able to block against attacks that have not yet been discovered. In fact, several major vulnerabilities found within Microsoft's IIS throughout the past year have been discovered by eEye while our engineering team was developing advanced class recognition technology and product enhancements for SecureIIS.

The first two approaches listed, the "I Can See the Future" and the "Fall Guy", can be largely inaccurate and may be irresponsible marketing hype. Making a claim that the future, otherwise unpredictable, can be foretold is as inaccurate as pinpointing the next big earthquake. The true application firewall, will actually protect from unknown attacks. This is due to the sophistication in searching for entire "classes of attacks". It is the only way to proactively protect your web server from vulnerabilities. Unless of course predicting the future was in fact possible and we just haven't received that memo yet.

By Ryan Permeh

ComputerWorld - Recent Breaches Raise Specter of Liability Risks
"Organizations that fail to show due diligence in protecting their data assets face a real risk of legal problems in the not-too-distant future, analysts said." Full Article

Sans Institute - The Twenty Most Critical Internet Security Vulnerabilities
"A little over a year ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. This new list, released on October 1, 2001, updates and expands the Top Ten list." Full Article

Information Security - Bridging the Gap
"If practitioners can't agree what a security professional is supposed to be, how can they expect others to accord them the respect they think they deserve?" Full Article

Q: I am seeing "Failed in VerifyRFC" errors in my SecureIIS logs. What is RFC checking, and how does SecureIIS use it to protect my server?

A: RFC checking was introduced in SecureIIS 1.2.6. Basically, SecureIIS is verifying that web clients are abiding by the "rules of the road" for web traffic. In some cases an attacker can manipulate the HTTP protocol to exploit a certain class of IIS vulnerability. HTTP manipulation can also be used to bypass certain security systems (like IDS's), so SecureIIS will catch these incoming attacks even if they are not directly exploiting a hole in the web server. If you are seeing an abnormal number of VerifyRFC errors in your SecureIIS logs, chances are you are running a web-based application that is violating an RFC rule and you can contact eEye for assistance in tracking down the problem.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Release: SecureIIS™ 2.0 Web Server Protection -- Proactive Intrusion Prevention
We are pleased to announce the release of version 2.0. Several new enterprise ready features include:

• Central Policy Management
  
• Central Event Management
  
• Real-Time Statistic Charts
  
• Logging of all Blocked Requests

Advisory: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow
A vulnerability in transfer chunking, in combination with the processing of HTR request sessions, can be exploited to remotely execute code of an attackers choice on the vulnerable machine.

Systems Affected:
Microsoft Windows NT 4.0 Internet Information Services 4.0
Microsoft Windows 2000 Internet Information Services 5.0

This is a very serious vulnerability and eEye suggests that administrators install the Microsoft supplied patch as soon as possible. Clients deploying SecureIIS Web Server Protection are 100% protected from this vulnerability. Full Article

Release: Retina® 4.8 Network Security Scanner
New features include:

• Scan ranges can be saved / loaded to a host file. (*.rti)
  
• Scan range files (*.rti) can be used in command line mode (see the Retina FAQ for details).
  
• Added ability to scan non-sequential IP addresses.
  
• Added NetBIOS OS detection.
  
• If set to "Check Without Asking", the Auto-Updater will now launch when using Retina command line mode.
  
• Improved search functionality.

Self-Running Product Demos
We are pleased to announce the availability of recorded tours of eEye's products. They highlight the features and benefits of the products and walk the user through a quick tutorial. Full Article

Dollar Diddling and the Billion-Dollar Viruses
How journalists tap "experts" to reach absurd conclusions about the cost of computer viruses. More

The Worst Software Bugs Ever
You thought your bugs were bad! View some of the worst software bugs to ever strike, for example: AT&T long distance service fails for nine hours (Wrong BREAK statement in C-Code, 1990) More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.