Another Look at the Application Firewall

Recently, a "zero day" vulnerability appeared in Microsoft's premiere server operating system. The term "zero day" represents a problem that appeared to be actively exploited by attackers in the wild with no direct knowledge of either the security community or the software vendor. It is a threat that vendors most fear: a hole that is harmful and that is being used, with no patch to keep the attacker out.

The vulnerability existed in an ANSI to Unicode string conversion routine within the core of the Microsoft operating system. The unknown discoverer of this vulnerability found that the WebDAV portion of Microsoft's IIS server uses this routine, offering this person a quick and dirty way to attack Windows servers.

These instances of "unknown" vulnerabilities for which there were no patches immediately available were the impetus of our decision to design and implement the world's first and most advanced application firewall for Microsoft's IIS software - SecureIIS™. We spent many long nights discussing the theory of vulnerability of specific portions of IIS and ways that a piece of specifically designed security software could stop not just specific known attacks, but rather entire classes of vulnerability.

The WebDAV vulnerability is what is known as a buffer overflow, unfortunately not an uncommon term associated with Microsoft's IIS servers. When developing SecureIIS, we realized that these types of vulnerabilities were able to be stopped by correctly analyzing the input fed to the server on many levels, and by passing the input through many layers of examination and validation. Buffer overflows tend to fit a specific modus operandi -- they tend to shove large amounts of data into places where programs expected less, causing data to "overflow the buffer". This results in a variety of ill effects, most notably the execution of code in the attacked process.

Why an application firewall? Why not just a network firewall or IDS?

While traditional firewalls and intrusion detection systems are important parts of your overall security architecture, they tend to fall short of completely protecting your web servers from unknown vulnerabilities. As an analogy, you can liken your web server to a bank vault: firewalls act as the thick doors, IDS are the burglar alarms, and the application firewall is the sentry sitting inside of the vault itself.

Firewalls are designed to limit exposure and reduce the risk of someone just wandering into your network; however, they need to be flexible enough to allow "normal" network traffic to pass through. IDS tend to watch for specific attacks for which signatures have been developed. Even when IDS cross the line into "anomaly detection" systems, they often do not know enough about the many software applications they are protecting to provide complete protection for all of them.

Application firewalls are designed with a specific software application in mind. Knowing everything there is to know about how the software can be attack and compromised, as well being able to inspect and verify data at the same time that the software is processing it, allows application firewalls to provide the ultimate in protection.

Although zero-day vulnerabilities can take everyone by surprise, fortunately due to the innovations of SecureIIS and the other application firewalls and tools that followed, not all software has to be vulnerable.

Ryan Permeh,
Software Engineer

VNUNET: Mutant CodeRed II Worm on the Loose
"A mutant version of the infamous CodeRed worm has emerged in the wild, security experts have warned. CodeRed.F differs in only two bytes of code from the original CodeRed II." Full Article

CNET: Microsoft Patch Freezes Some Systems
"A patch for a security flaw that affects Microsoft's Web server software running on Windows 2000 has caused system freezes for some customers, the company said Thursday." Full Article

InfoSec: Serious Sun Advisory Released Ahead of Schedule
"Sun Microsystems' yesterday released a patch for a serious vulnerability that affects a number of vendors' applications and could allow denial of service, execution of arbitrary code or the disclosure of sensitive information, depending on the affected application. A leaked Computer Emergency Response Team (CERT) advisory detailing the flaw was posted to the Full Disclosure security mailing list Sunday." Full Article

SecurityFocus: Homeland Cybersecurity Efforts Doubted
"As the new Department of Homeland Security swallows nearly every cybersecurity office in the U.S. government, high-profile leaders are jumping ship, and analysts worry that only meager funding and muddled goals remain." Full Article

Q: Is there a way to overcome problems associated with data capture on switched networks? Why does this happen and what options are available when using a network traffic analyzer?

A: The efficiency of switched networks prohibits the easy capturing of network traffic. Similarly, switched networks cause issues in effectively deploying IDS sensors. A switched network only allows each machine to see traffic destined for itself as well as broadcast traffic (i.e. traffic that is indicated by the MAC Address of FF:FF:FF:FF:FF:FF). Because of this, network traffic analyzer users sometimes only see data from the adapter in the machine that the analyzer is installed on.

To overcome these barriers, options do exist at the hardware level to allow for the effective monitoring of network traffic. For instance, you may plug machine installed with a network traffic analyzer such as eEye's Iris® into the Monitor Port of your switch (if one is present) or enable 'port mirroring' (or 'port spanning') to replicate traffic to the port the analyzing machine is plugged into. Also, if you were to target internet-specific traffic, you could place a regular, non-switched hub between your primary switch and your internet connection, and plug the analyzing machine into the hub as well. Using these methods, you will be able to "sniff" the traffic across the hub.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

New Product - Retina® Remote Manager
Retina Remote Manager provides users with an intuitive web-based interface designed to augment the remote management of single or distributed deployments of Retina Network Security Scanners within an organization. Retina Remote Manager enables administrators to remotely create, schedule, and view the results of various Retina scans. Full Article

Security Advisory - XDR Integer Overflow
On March 19th eEye, in coordination with CERT, released an advisory regarding vulnerabilities discovered in various libraries used to incorporate XDR into applications, including the Sun Microsystems Network Services Library and BSD-derived libraries with XDR/RPC routines. The vulnerabilities allow for remote code execution on unpatched systems. Full Article

Retina Wins Information Security Excellence Award
Retina Network Security Scanner was voted the industry's top rated vulnerability assessment and security monitoring tool by Information Security Magazine readers. Information Security Magazine presented the Excellence Award at the InfoSec World conference in Orlando, FL this past week. Full Article

InfoWorld Reviews eEye's Enterprise Vulnerability Assessment Solution
From the review: "eEye Digital Security's popular Retina Network Security Scanner is quite capable of keeping an administrator apprised of vulnerabilities on a single network. But there was never a way to extend Retina's capabilities to the enterprise until now. eEye's Enterprise Vulnerability Assessment solution ties individual Retina scanners together, allowing all of them to be managed from a single station." Full Article

CERT Warns of 'Zombie' Networks
The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time, according to security officials. More

Google: Net Hacker Tool du Jour
Why bother pounding at a website in search of obscure holes when you can simply waltz in through the front door? Hackers have recently done just that, turning to Google to help simplify the task of honing in on their targets. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.