DISCLAIMER - I work for an IPS vendor... ;)
Hi guys,
It's not very efficient to use an application signature to scan network
traffic for spyware. There is also the risk of false positives - ie the
signature will trip with regards to good traffic, and block it.
By far the best, and most fundamental way to block spyware with a network
based solution is to use a firewall policy to block access to Spyware
servers, so that a) clients can't download Spyware from these sites, and b)
already infected clients can't phone home and send back information
Any Spyware that doesn't fit this bill (ie uses a large pool of server IP
addresses - eg something like SkyPe) would need a signature for detection,
but only use signatures when your basic form of protection at lower layers
cannot do the job.
TopLayer's IPS 5500, for example, maintains an up to date list of IP
addresses of the most common Spyware servers. Use this with the built in
firewall policy, and you've solved 99% of the problem that Spyware causes on
a network connection.
There's absolutely no point chewing up valuable content-checking resources
(even if you have the fastest ASIC/FPGA on the market!), if you can solve
the problem at a lower level. This is a problem all IDS based IPS vendors
face, as they only properly deal with malicious content, rather than
addressing IPS from a practical network level that encompasses firewalling,
rate-based checks, and content-checks to do the job in the fastest, most
efficient way possible.
Regards,
Tim
----- Original Message -----
From: "Jay Archibald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[email protected]>
Sent: Wednesday, October 12, 2005 2:52 AM
Subject: Re: IDS and Spywares
Could anyone in the group name a few IDS which detect spywares. In my
view spywares are to
be detected by an antivirus system and not by a network device.
Your view is correct in the regard that antivirus software should DETECT
and
REMOVE spyware, but if you want to protect every device in a network from
the effects of spyware a good defense is still through an IDP or firewall.
Can you garantee every network host in your network has an anti-virus
client
running with the latest definition updates? Even if you can,
spyware/malware creators still have tricky ways of evading
anti-virus/anti-spyware scanners. In my opinion, perimeter security is
still an effective way to secure a network.
Juniper/Netscreen's IDP systems detect and block spyware. The nice thing
about their product is they catagorize the spyware into several different
catagories: CRITICAL, HIGH, MEDIUM, LOW and INFO. This makes it easier
to
build IDS policies for blocking the critical alerts while only alerting on
the low. They currently have over 300 spyware signatures.
They have a good IDP product, but I will say that it is excpensive when it
comes to the support contract costs. One other thing I think they could
improve is providing details or references on spyware signatures like they
do with other catagories like HTTP or SMTP.
Jay Archibald
Student - Norwich University
Master of Science in Information Assurance
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, October 07, 2005 12:12 AM
Subject: IDS and Spywares
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
