Potential Countermeasures

Previous page
Table of content
Next page

Potential Countermeasures

Marcus Ranum, founder of NFR, Inc., delivered a talk at the Blackhat Briefings 1999 on building "burglar alarms" and "booby traps." He mentioned that the best defense is to build a proper perimeter security and to lock down each system individually. However, to ensure that the perimeter or system security isn't breached, a burglar alarm or a booby trap can be installed in the network or on systems. A burglar alarm would be a sniffer loaded with packet sniffing rules that are the exact inverse of the rules applied by the firewall. That is, ideally, if the firewall is working perfectly, no packets would be picked up by the sniffer. But, if a packet is picked up by the sniffer, the firewall has been circumvented somehow.

A lot of difficulties arise in using IDSs effectively for detecting Web attacks, largely because of the nature of HTTP requests and interaction with Web applications. As there are many ways of doing the same thing, the overall mechanism of an IDS can't cope with all of them; it is best suited to detecting singular events. Building or configuring an IDS for detecting Web attacks therefore should be based on the following concepts.

SSL Decryption

With regard to intrusion detection for Web traffic, SSL is the greatest hurdle. Network IDSs operate in a man-in-the-middle manner, picking up network traffic before it reaches the endpoint and analyzing it for attack signatures. SSL was designed specifically to render any man-in-the-middle eavesdropping ineffective. Designing an IDS to work with SSL is an exercise that somewhat defeats the very purpose of SSL itself.

However, as mentioned previously, we could either populate the IDS with the server-side SSL certificates and private to perform SSL decryption or to have a reverse HTTP proxy that decrypts the SSL traffic and then passes it to back-end Web servers. In the latter situation, the IDS can be positioned between the reverse HTTP proxy and the back-end Web servers.

URL Decoding

The most common techniques to evade detection by IDS is to alter the URL string so that it doesn't get picked up by the signature matching mechanism. For an IDS to identify attacks successfully, even if URLs are altered, a URL decoding mechanism should be inserted before the signature matching mechanism. Such a system would eliminate both false positives and false negatives, as described earlier in this chapter.

URL decoding has certain drawbacks. Performing URL decoding for Web traffic would be a resource intensive task, if the volume of network packets is quite high. Also, the IDS would need to separate the application layer data from the packets before performing URL decoding.

Until an IDS built with artificial intelligence proves to be successful and effective, Web server security administrators should rely more on locking down the Web server and Web application and inspect Web server logs for malicious activity and not rely entirely on IDSs to detect attacks.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
Adobe After Effects 7.0 Studio Techniques
Java How to Program (6th Edition) (How to Program (Deitel))
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Junos Cookbook (Cookbooks (OReilly))
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy