Forrester Network Mitigation Report
September 26, 2009 by theipsguy · Leave a Comment
I recently read the TechRadar for Security & Risk Professionals: Network Threat Mitigation, Q3 2009 by Forrester. This report reviewed 14 different threat mitigation categories. These included encryption, wireless IDS/IPS, UTM, Intrusion prevention, network access control,Web-content filtering and a few others.
It is obvious that the bad guys are highly organized and very skilled. The number and sophistication of attacks do not seem to be going down but instead increasing. Forrester identified three areas they see in their client companies:
-
The current controls are either not able to prevent the type of threats we see today of the solutions and how they are used need to be re-thought.
-
Companies fear inline protection. Even though many companies have successfully deployed Intrusion Prevention, there is a general fear the IPS will block legitimate traffic.
-
Companies lack visibility into what is really happening on their networks. This is somewhat by design because what you do not know you do not have to address.
Forrester did a good job of grouping the type of technologies and providing a ranking on their business value. I agree in general with their assessments.
Technology |
Business Value |
Firewall Auditing |
Low |
Network Encryption |
Negative |
Network Threat Modeling |
Negative |
Network Access Control |
Low |
UTM |
Low |
Email Security Gateway |
High |
Network Firewall |
High |
Vulnerability Scanners |
Medium |
NBAD |
Negative |
IDS |
Negative |
IPS |
High |
Web Proxy |
Medium |
Application Firewalls |
Low |
Wireless IDS/IPS |
Medium |
Forrester states that NBAD is declining and will be replaced with and NBA. Further they predict NBA will likely be added to other security appliances. I agree with this assessment and vendors are working hard to integrate NBA into their Intrusion Prevention systems. Mcafee will be doing this soon as well as IBM/ISS and Cisco already does this.
One item I noticed and this is likely a mistake on the part of the authors is that they listed Snort/Sourcefire in the IDS only category. While I agree with the general categorization of Snort as an IDS only I do not agree with Sourcefire being in this category and I doubt Martin Roesch would either.
Forester rates Network Intrusion Prevention as a High business value and I would of course tend to agree but I may be a little biased. They see their clients replacing older IDS based systems with IPS and relying on this technology as a key control in their network. Many vendors are beginning to add other features to their IPS devices. Companies like IBM/ISS have limited DLP functionality in their network intrusion prevention devices and IBM/ISS recently released web application firewall functionality.
Network Intrusion Prevention continues to be a key control used by businesses and is only going to continue to grow. I believe we will see IPS become a platform for more services like DLP and NBA similar to how firewalls have integrated IPS, content filtering and other technologies.
Technorati Tags: intrusion prevention wireless intrusion prevention
September Microsoft Bulletins
September 9, 2009 by theipsguy · Leave a Comment
IBM/ISS Coverage
| MS Bulletin | Coverage | Coverage Date |
| MS09-049 | Scanner Only 1.59 | September, 8 th 2009 |
| MS09-048 | XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130,
29.030,29.070,29.080 |
Multiple dates of coverage. 2006, 2008, 2009 |
| MS09-047 | XPU 20.90 | September, 8 th 2009 |
| MS09-046 | XPU 20.90 | September, 8 th 2009 |
| MS09-045 | XPU 20.90 | September, 8 th 2009 |
Cisco
| MS Bulletin | Coverage | Coverage Date |
| MS09-049 | NA | |
| MS09-048 | S430, S248, S431, S242 | Multiple dates of coverage |
| MS09-047 | S431 | September, 8 th 2009 |
| MS09-046 | S431 | September, 8 th 2009 |
| MS09-045 | S431 | September, 8 th 2009 |
Mcafee
| MS Bulletin | Signature ID | Coverage Date |
| MS09-049 | Foundstone 7110 | |
| MS09-048 | 0×9E00, 7106 | September, 8 th 2009, September 9 th, 2009 |
| MS09-047 | 7108, 7109, 0×40265D00,0×40265E00 | September, 8 th 2009, September 9 th, 2009 |
| MS09-046 | 0×40266900 | September, 8 th 2009 |
| MS09-045 | 7098, 0×40266800 | September, 8 th 2009, September 9 th, 2009 |
Microsoft Security Advisory (975191)
September 3, 2009 by theipsguy · Leave a Comment
Microsoft has announced a vulnerability in the IIS FTP service. This vulnerability allows a stack-based buffer overflow, caused by improper bounds checking by the FTPd service. By sending an overly long NLST command, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
| IPS Vendor | Protection | Date | Link | |
| IBM/ISS | yes | Jun 6, 2002 Sept 3, 2003 |
http://bit.ly/2loiYU | |
| Cisco | yes | Sept 2, 2009 | http://bit.ly/YJ97S | |
| Mcafee | yes | Aug 31, 2009 | No link |
It is nice to see IBM/ISS with coverage dating back 6-7 years! The primary signature FTP_Mkd_Overflow was originally developed for a vulnerability in the WS_FTP Server will provide protection for this vulnerability as well, this signature is enabled by default.
Exploit code has been placed on Milw0rm and has been added to MetaSploit.
Blogger Labels: Microsoft,Advisory,FTPd,NLST,attacker,Cisco,Mcafee,coverage,signature,WS_FTP,Exploit,MetaSploit
