Hello Pieter-Jan!
Fair enough I think the next thing I would want is packet
capture of an HCP:// conversation to look inside the packets and see if
the Application engines for ZBFW and CBAC would be able to process them.
Studying some IOS-XR right now, but I may try later to get some....
Thanks!
Dave
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
Pieter-Jan Nefkens
Sent: Wednesday, June 16, 2010 12:39 PM
To: OSL Security
Subject: Re: [OSL | CCIE_Security] Security related, but not completely
CCIE
Hi David,
I agree, an IPS is the most preferred way to go, but what would you do
when you don't have an IPS at your hand, for example a remote site with
an asa5505 or a ios ISR router that does all the jobs?
Then FPM would be an option, but how would that go performance wise?
What about NBAR or ZBFW?
Pieter-Jan
On 16 jun 2010, at 18:21, Mack, David A (Dave) wrote:
> Hmm,
> I think that IPS would be my first choice since that is what the
IPS
> is made to do and there is a signature for it already... But for fun I
> took a swag at a FPM config:
>
> load protocol system:fpm/phdf/ip.phdf
> load protocol system:fpm/phdf/tcp.phdf !
> ip tcp synwait-time 5
> !
> class-map type stack match-all CM:IP:TCP match field IP protocol eq
> 0x6 next TCP class-map type access-control match-all
> CM:TCP:HCP:8080:SRC match field TCP source-port eq 8080 match start
> TCP payload-start offset 0 size 256 regex "hcp://"
> class-map type access-control match-all CM:TCP:HCP:8080:DST match
> field TCP dest-port eq 8080 match start TCP payload-start offset 0
> size 256 regex "hcp://"
> class-map type access-control match-all CM:TCP:HCP:80:SRC match field
> TCP source-port eq 80 match start TCP payload-start offset 0 size 256
> regex "hcp://"
> class-map type access-control match-all CM:TCP:HCP:80:DST match field
> TCP dest-port eq 80 match start TCP payload-start offset 0 size 256
> regex "hcp://"
> class-map type access-control match-all CM:TCP:HCP:443:DST match field
> TCP dest-port eq 443 match start TCP payload-start offset 0 size 256
> regex "hcp://"
> class-map type access-control match-all CM:TCP:HCP:443:SRC match field
> TCP source-port eq 443 match start TCP payload-start offset 0 size 256
> regex "hcp://"
> !
> !
> policy-map type access-control PM:TCP:HCP class CM:TCP:HCP:80:SRC
> drop
> class CM:TCP:HCP:80:DST
> drop
> class CM:TCP:HCP:8080:SRC
> drop
> class CM:TCP:HCP:8080:DST
> drop
> class CM:TCP:HCP:443:SRC
> drop
> class CM:TCP:HCP:443:DST
> drop
> policy-map type access-control PM:HCP
> class CM:IP:TCP
> service-policy PM:TCP:HCP
> !
>
> You could apply this policy inbound or outbound where you need it.
>
> FWIW,
> Dave
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> Pieter-Jan Nefkens
> Sent: Wednesday, June 16, 2010 11:56 AM
> To: OSL Security
> Subject: [OSL | CCIE_Security] Security related, but not completely
> CCIE
>
> Hello List,
>
> Perhaps you're already aware of it, but perhaps not,if you've been too
> much in de workbooks lately ;-)
>
> Recently, a day-zero vulnerability has been found in the help &
> support system of both Windows XP and Windows 2003.
> Sophos has found that an exploit has been active on an open source
> project, but it has been removed from that site.
> However, it is expected that the exploit will be on other websites as
> well.
>
> So, this appears to be a genuine day-zero attack / exploit.
> You can find information at the following sites:
>
> Sophos blog entry: http://www.sophos.com/blogs/sophoslabs/?p=10045
> Cisco Security alert:
> http://tools.cisco.com/security/center/viewAlert.x?alertId=20691
> CVE Reference:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
> Microsoft article:
> http://www.microsoft.com/technet/security/advisory/2219475.mspx
>
> So, that is the information sharing.
> Now, let's get down to the mitigation of this vulnerability and get a
> discussion (perhaps?) on alternative solutions According to the
> technical details, the vulnerability exists in the parsing of an hcp
> malformed url, so the obvious workaround is basically:
> disable hcp protocol (which is what microsoft recommends).
> The disadvantage is that local help systems that use hcp:// won't work
> as well, until Microsoft releases a patch..
>
> Now, that's a good thing to start with, but how could we solve this,
> on the network edge level, so that our users can still access the
help.
> Cisco has already released a signature definition file S495, which
> contains signature 26599.
> If you look at the signature definition, it scans the web service
> ports for an hcp:// url regex.
>
> So, how could be use that information to prevent the exploit to occur,
> and do it at the edge (preventing network attacks).
> Since it's a regex, my guess would be, that on an ASA, create a regex
> matching the hcp:// prefix (either the complete regex, or just the
> hcp:// prefix) and apply that to the http inspection engine and drop
> any matches. That should give you a bit more security. It still won't
> do the encrypted inspection traffic (like ssl traffic), but that's
> something the IPS doesn't do as well.
>
> Now, how would one do that on the IOS side? there are too many options
> to name, ZBFW, CBAC perhaps, control plane protection on the transit
> plane, NBAR, FPM? What would be your guess to do, also with
> real-life-performance in the back of your mind..
>
> I know. it's different from the workbooks, but it is real life and the
> things we learn in the workbooks and prepping at CCIE level should
> give you the edge to think about these attacks and might get you start
> thinking to see how to prevent it..
>
> Kind regards
> Pieter-Jan
>
> ---
> Nefkens Advies
> Enk 26
> 4214 DD Vuren
> The Netherlands
>
> Tel: +31 183 634730
> Fax: +31 183 690113
> Cell: +31 654 323221
> Email: [email protected]
> Web: http://www.nefkensadvies.nl/
>
---
Nefkens Advies
Enk 26
4214 DD Vuren
The Netherlands
Tel: +31 183 634730
Fax: +31 183 690113
Cell: +31 654 323221
Email: [email protected]
Web: http://www.nefkensadvies.nl/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
