cipherdyne.org

26 March, 2007

Yesterday at ShmooCon I gave a talk (slides) about my vision for endowing iptables firewalls with true intrusion detection capabilities and how it can be used as a supplement to existing IDS infrastructure. This hinges upon using the iptables string match extension to inspect application layer data for malicious characteristics that are pointed out by the Snort signature set. The process of translating Snort signatures into equivalent iptables commands is automated by fwsnort.

(Update: 12/09/2007): A video of my talk is available here.

One thing I tried to emphasize in this talk is that there are real cases for automatically responding to network attacks - for example, consider the following scenario:

• A remotely exploitable vulnerability is found within some server software X that you have deployed in your network. Suppose this server is a critical corporate application, and taking it down so that it can be upgraded or patched requires an scheduling outage window.
• Some blackhat writes a worm that exploits this new vulnerability, and the worm begins spreading.
• The Snort community develops a signature for the worm and suppose this signature does not require fancy Snort rule options such as pcre or asn1, and so this signature can be translated by fwsnort.
• Because the server software cannot just be taken down to be fixed immediately, there is a window of time in which the worm may successfully compromise systems that are running this server software.

In the above scenario, the best way to protect the vulnerable server application from attack would be to deploy a piece of inline code that has the capability of intercepting and stopping the malicious data before it can reach the application. In some cases, fwsnort along with iptables can provide this functionality.