Hi David, I agree, an IPS is the most preferred way to go, but what would you do when you don't have an IPS at your hand, for example a remote site with an asa5505 or a ios ISR router that does all the jobs?
Then FPM would be an option, but how would that go performance wise? What about NBAR or ZBFW? Pieter-Jan On 16 jun 2010, at 18:21, Mack, David A (Dave) wrote: > Hmm, > I think that IPS would be my first choice since that is what the > IPS is made to do and there is a signature for it already... But for fun > I took a swag at a FPM config: > > load protocol system:fpm/phdf/ip.phdf > load protocol system:fpm/phdf/tcp.phdf > ! > ip tcp synwait-time 5 > ! > class-map type stack match-all CM:IP:TCP > match field IP protocol eq 0x6 next TCP > class-map type access-control match-all CM:TCP:HCP:8080:SRC > match field TCP source-port eq 8080 > match start TCP payload-start offset 0 size 256 regex "hcp://" > class-map type access-control match-all CM:TCP:HCP:8080:DST > match field TCP dest-port eq 8080 > match start TCP payload-start offset 0 size 256 regex "hcp://" > class-map type access-control match-all CM:TCP:HCP:80:SRC > match field TCP source-port eq 80 > match start TCP payload-start offset 0 size 256 regex "hcp://" > class-map type access-control match-all CM:TCP:HCP:80:DST > match field TCP dest-port eq 80 > match start TCP payload-start offset 0 size 256 regex "hcp://" > class-map type access-control match-all CM:TCP:HCP:443:DST > match field TCP dest-port eq 443 > match start TCP payload-start offset 0 size 256 regex "hcp://" > class-map type access-control match-all CM:TCP:HCP:443:SRC > match field TCP source-port eq 443 > match start TCP payload-start offset 0 size 256 regex "hcp://" > ! > ! > policy-map type access-control PM:TCP:HCP > class CM:TCP:HCP:80:SRC > drop > class CM:TCP:HCP:80:DST > drop > class CM:TCP:HCP:8080:SRC > drop > class CM:TCP:HCP:8080:DST > drop > class CM:TCP:HCP:443:SRC > drop > class CM:TCP:HCP:443:DST > drop > policy-map type access-control PM:HCP > class CM:IP:TCP > service-policy PM:TCP:HCP > ! > > You could apply this policy inbound or outbound where you need it. > > FWIW, > Dave > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Pieter-Jan Nefkens > Sent: Wednesday, June 16, 2010 11:56 AM > To: OSL Security > Subject: [OSL | CCIE_Security] Security related, but not completely CCIE > > Hello List, > > Perhaps you're already aware of it, but perhaps not,if you've been too > much in de workbooks lately ;-) > > Recently, a day-zero vulnerability has been found in the help & support > system of both Windows XP and Windows 2003. > Sophos has found that an exploit has been active on an open source > project, but it has been removed from that site. > However, it is expected that the exploit will be on other websites as > well. > > So, this appears to be a genuine day-zero attack / exploit. > You can find information at the following sites: > > Sophos blog entry: http://www.sophos.com/blogs/sophoslabs/?p=10045 > Cisco Security alert: > http://tools.cisco.com/security/center/viewAlert.x?alertId=20691 > CVE Reference: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 > Microsoft article: > http://www.microsoft.com/technet/security/advisory/2219475.mspx > > So, that is the information sharing. > Now, let's get down to the mitigation of this vulnerability and get a > discussion (perhaps?) on alternative solutions According to the > technical details, the vulnerability exists in the parsing of an hcp > malformed url, so the obvious workaround is basically: > disable hcp protocol (which is what microsoft recommends). > The disadvantage is that local help systems that use hcp:// won't work > as well, until Microsoft releases a patch.. > > Now, that's a good thing to start with, but how could we solve this, on > the network edge level, so that our users can still access the help. > Cisco has already released a signature definition file S495, which > contains signature 26599. > If you look at the signature definition, it scans the web service ports > for an hcp:// url regex. > > So, how could be use that information to prevent the exploit to occur, > and do it at the edge (preventing network attacks). > Since it's a regex, my guess would be, that on an ASA, create a regex > matching the hcp:// prefix (either the complete regex, or just the > hcp:// prefix) and apply that to the http inspection engine and drop any > matches. That should give you a bit more security. It still won't do the > encrypted inspection traffic (like ssl traffic), but that's something > the IPS doesn't do as well. > > Now, how would one do that on the IOS side? there are too many options > to name, ZBFW, CBAC perhaps, control plane protection on the transit > plane, NBAR, FPM? What would be your guess to do, also with > real-life-performance in the back of your mind.. > > I know. it's different from the workbooks, but it is real life and the > things we learn in the workbooks and prepping at CCIE level should give > you the edge to think about these attacks and might get you start > thinking to see how to prevent it.. > > Kind regards > Pieter-Jan > > --- > Nefkens Advies > Enk 26 > 4214 DD Vuren > The Netherlands > > Tel: +31 183 634730 > Fax: +31 183 690113 > Cell: +31 654 323221 > Email: [email protected] > Web: http://www.nefkensadvies.nl/ > --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/
<<inline: green.gif>>
Think before you print.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
