Potential
Countermeasures
Marcus Ranum, founder of NFR, Inc., delivered
a talk at the Blackhat Briefings 1999 on building "burglar alarms"
and "booby traps." He mentioned that the best defense is to build a
proper perimeter security and to lock down each system individually. However,
to ensure that the perimeter or system security isn't breached, a burglar alarm
or a booby trap can be installed in the network or on systems. A burglar alarm
would be a sniffer loaded with packet sniffing rules that are the exact inverse
of the rules applied by the firewall. That is, ideally, if the firewall is
working perfectly, no packets would be picked up by the sniffer. But, if a
packet is picked up by the sniffer, the firewall has been circumvented somehow.
A lot of difficulties arise in using IDSs
effectively for detecting Web attacks, largely because of the nature of HTTP
requests and interaction with Web applications. As there are many ways of doing
the same thing, the overall mechanism of an IDS can't cope with all of them; it
is best suited to detecting singular events. Building or configuring an IDS for
detecting Web attacks therefore should be based on the following concepts.
SSL Decryption
With regard to intrusion detection for Web
traffic, SSL is the greatest hurdle. Network IDSs operate in a
man-in-the-middle manner, picking up network traffic before it reaches the
endpoint and analyzing it for attack signatures. SSL was designed specifically
to render any man-in-the-middle eavesdropping ineffective. Designing an IDS to
work with SSL is an exercise that somewhat defeats the very purpose of SSL
itself.
However, as mentioned previously, we could
either populate the IDS with the server-side SSL certificates and private to
perform SSL decryption or to have a reverse HTTP proxy that decrypts the SSL
traffic and then passes it to back-end Web servers. In the latter situation,
the IDS can be positioned between the reverse HTTP proxy and the back-end Web
servers.
URL Decoding
The most common techniques to evade detection
by IDS is to alter the URL string so that it doesn't get picked up by the
signature matching mechanism. For an IDS to identify attacks successfully, even
if URLs are altered, a URL decoding mechanism should be inserted before the
signature matching mechanism. Such a system would eliminate both false
positives and false negatives, as described earlier in this chapter.
URL decoding has certain drawbacks. Performing URL decoding
for Web traffic would be a resource intensive task, if the volume of network
packets is quite high. Also, the IDS would need to separate the application
layer data from the packets before performing URL decoding.
Until an IDS built with artificial intelligence proves to be
successful and effective, Web server security administrators should rely more
on locking down the Web server and Web application and inspect Web server logs
for malicious activity and not rely entirely on IDSs to detect attacks.
No comments:
Post a Comment