And again, I completely agree that it has network security has its use, it’s just that that use is becoming easier and easier to circumvent as more and more things get tunneled over port 80 and as more applications become HTTP enabled. I had a buddy who was contracted to port TCP/IP over HTTP. What’s the point in a firewall at that point? It’s completely circumvented the entire security model. What a pain! Anyway, that was my point, sorry if I wasn’t articulate. It’s been a rough last few weeks at work.

Thanks for the comments! You are correct in that I am sure there are attacks that would be next to impossible to catch with regex, unless you wanted to block everything or incur a tsunami of false positives. No bet

I agree with you that the model is broken…no question. Secure coding practices and change control / management would go a long way in neutering these problems. I guess my position is that this type of technology is still useful as part of a larger strategy. As with anything it’s not the be-all end-all of security, despite what the vendors tell you.

Thanks again for the comments.

–Chris

True, it’s one signature, but I challenge someone to write a rule in regex that could accurately identify all variations of that attack against that tool. I’ll bet you a buck you can’t do it. And no cheating by disallowing everything. It gets exponentially more complex with variations.

When I was saying 1998, I meant only that it was twice in a day that I mentioned Rain Forrest Puppy on my blog, nothing more.

Stateful packet inspection is irrelevant to this conversation though. Sure it’s nice to know that they have a three way connection, but it has no basis in understanding the path of a user on a system. If I turn off my connection and connect through a different IP address the IPS, IDS and firewall are all useless, they have no idea it’s the same user.

IP based packet inspection is a nice tool, but against almost all the attacks I go into on my site, it’s next to useless. I think where it’s useful is where you have a signature that’s (more) difficult to modify, like a buffer overflow. Against a simply http request, how can you tell if it’s benign or not? That’s the real question.

I used to be a network security guy, but the more I reasearched it the more I felt like it was only tackling one problem. And as such it was hindering technology. And then the developers coded around it. That caused more holes (like the ones we are seeing today). In the end it’s almost completely broken. Yes, there are mitigating factors, but I’ve seen exactly 2 companies who’ve ever come close to protecting itself from the XSS JavaScript port scanner, and one of them has complete physical seperation of networks.

How can a IDS detect that? What about over SSL? You going to decrypt the traffic in real time (not of your website traffic, but of your own personal inbound outbound user’s HTTP traffic)? At a small company that’s doable, in huge companies, not so much, and it’s hard to justify costs. It’s possible, but it doesn’t tell you anything about authentication state (leading to possible CSRF) of users.

In the end we could debate it all day. It’s useful, but it’s certainly not going to do much against any of the attacks we are working on.