Out of the box intrusion prevention systems. Test Drive
Hello, Khabrovchans! 
Today we want to talk about how intrusion detection / prevention systems cope with their task right after you get them out of the box, initialize them and put them on your network. The following hardware platforms will participate in today's test drive:
• Cisco IPS 4240;
• IBM Proventia GX4004;
• StoneGate IPS 1060.
Based on our experience, approximately 80% of IPS organizations are not configured properly. This is due to the fact that there is simply no one to configure them or the system was installed only “for show” to meet one or another of the requirements of regulators. Therefore, we decided to compare the intrusion detection systems on the default settings.
In the article we want to share the results of our test drive with respected Harazhitelami.
All interested are invited to cat.
Here, in fact, our experimental subjects:
First, we give a few dry numbers characterizing the performance characteristics of hardware platforms, taken from open sources of information:
We will compare the work of three IPS under the same conditions: work in IDS mode (comparison was carried out in a real network), work in IPS mode and “very conditional” load testing (comparison was carried out in the laboratory). As a result, we get a summary table with data on the number of vulnerabilities found and blocked.
I would immediately like to stipulate that the comparison took place on the latest available version of the software and with the latest signatures at the time of testing, the default policies were used to detect and block threats .
Testing of the hardware platforms of intrusion detection systems in IDS mode (network activity monitoring) was carried out according to the scheme shown in the figure below, by connecting all the glands to the span ports of the Cisco Catalyst 3750 switch, which mirrored traffic from the organization’s real network.
After three days of working in the network monitoring mode, IPS found the following number of vulnerabilities / attacks (we took into account only High, Medium and Low vulnerabilities, Info vulnerabilities were not taken into account):
• Cisco IPS 4240 - 17 vulnerabilities / attacks;
• IBM Proventia GX4004 - 32 vulnerabilities / attacks;
• StoneGate IPS 1060 - 103 vulnerabilities / attacks.
There are not so many common vulnerabilities / attacks that all pieces of iron could detect:
• ICMP Network Sweep w / Address Mask;
• ICMP Network Sweep w / Timestamp;
• TCP_Port_Scan;
• UDP_Port_Scan;
• ICMP_Subnet_Mask_Request;
• ICMP_Timestamp_Request.
A summary table with a list of all found vulnerabilities / attacks and a breakdown by pieces of iron can be viewed under the spoiler.
It is worth noting that IPS in monitoring mode can not only detect attacks, but also find vulnerable services and applications on the network, for example, use the default settings of the SNMP community, use empty passwords, and non-updated software.
Testing of the hardware platforms of the intrusion detection systems in IPS mode (monitoring network activity and blocking malicious traffic) was carried out according to the scheme shown in the figure below, by switching on all the hardware platforms in Inline mode (in the gap) between the Attacking Workstation and the Victims (servers). Microsoft Windows 2003 R2 OS and the following application software were installed on the Victims:
• Oracle express 10g;
• MySQL 5.2;
• Apache 2.2.26;
• WEB IIS 6 / FTP ISS 6;
• Filezilla FTP Server 0.9.41 beta;
• TFTPD 32 4.0;
• MSSQL Express 2005.
From the attacker's workstation, Nessus scanned the victims using the Nessus security scanner and determined the list of vulnerable services running on them. After scanning, attempts were made to exploit vulnerabilities (launch exploits) on the Victims using the Metasploit Framework exploit pack.
The following is a summary table of the IPS response to attacks:
It can be seen that IPS with default settings are not able to block all attacks, even those using not the latest vulnerabilities. Therefore, it is strongly recommended to configure the piece of iron specifically for your needs and services.
This testing was carried out using the hping3 utility (you can read about the utility here ) from the Backtrack 5 R3 distribution kit. The purpose of the testing was to check the IPS "resistance" to flood attacks, i.e. we did not try to compare the performance of devices, but only examined their response to overload.
Description of the stand:
IPS was installed in the gap between the attacking node (Backtrack 5 R3 OS) and the victim node (Windows Server 2003 R2 OS). The hping3 utility was launched within 5 minutes with the “--flood” parameter, this key allows you to use the maximum possible packet generation speed.
Command example:
Below is a summary table with the results:
As we can see, none of the IPS systems (at the default settings) was able to protect the node from a flood attack. Cisco and IBM in the logs issued alerts and did not try to block the attack, StoneGate began to block connections, but went to reboot, and the attack on the victim successfully continued. This is due to the fact that the default mode of operation of inline interfaces is set to fail-open, i.e. all traffic flows freely between interfaces without inspection in the event of a hardware platform failure.
If you decide to install IPS in order to really protect your users or some important services from external threats and be aware of what is happening on your network, then we recommend fine-tuning the hardware. A properly tuned IPS can close a very large number of security holes, even if it is already old and weak. And on the default settings, none of the manufacturers showed results that could be called "impressive".
Thank you all for your attention!
Glebov Maxim, Selishchev Ivan
Today we want to talk about how intrusion detection / prevention systems cope with their task right after you get them out of the box, initialize them and put them on your network. The following hardware platforms will participate in today's test drive:
• Cisco IPS 4240;
• IBM Proventia GX4004;
• StoneGate IPS 1060.
Based on our experience, approximately 80% of IPS organizations are not configured properly. This is due to the fact that there is simply no one to configure them or the system was installed only “for show” to meet one or another of the requirements of regulators. Therefore, we decided to compare the intrusion detection systems on the default settings.
In the article we want to share the results of our test drive with respected Harazhitelami.
All interested are invited to cat.
A few words about IPS
Система предотвращения вторжений (Intrusion Prevention System) — программная или аппаратная система сетевой и компьютерной безопасности, обнаруживающая вторжения или нарушения безопасности и автоматически защищающая от них.
Системы IPS можно рассматривать как расширение систем обнаружения вторжений (IDS), так как задача отслеживания атак остается одинаковой. Однако они отличаются тем, что IPS должна отслеживать активность в реальном времени и быстро реализовывать действия по предотвращению атак. Возможные меры — блокировка потоков трафика в сети, сброс соединений, выдача сигналов оператору. Также IPS могут выполнять дефрагментацию пакетов, переупорядочивание пакетов TCP для защиты от пакетов с измененными SEQ и ACK номерами и т.п.
Системы IPS можно рассматривать как расширение систем обнаружения вторжений (IDS), так как задача отслеживания атак остается одинаковой. Однако они отличаются тем, что IPS должна отслеживать активность в реальном времени и быстро реализовывать действия по предотвращению атак. Возможные меры — блокировка потоков трафика в сети, сброс соединений, выдача сигналов оператору. Также IPS могут выполнять дефрагментацию пакетов, переупорядочивание пакетов TCP для защиты от пакетов с измененными SEQ и ACK номерами и т.п.
Technical Description of Compared IPS
Here, in fact, our experimental subjects:
First, we give a few dry numbers characterizing the performance characteristics of hardware platforms, taken from open sources of information:
Test drive program
We will compare the work of three IPS under the same conditions: work in IDS mode (comparison was carried out in a real network), work in IPS mode and “very conditional” load testing (comparison was carried out in the laboratory). As a result, we get a summary table with data on the number of vulnerabilities found and blocked.
I would immediately like to stipulate that the comparison took place on the latest available version of the software and with the latest signatures at the time of testing, the default policies were used to detect and block threats .
Our "racing track"
Work in IDS mode
Testing of the hardware platforms of intrusion detection systems in IDS mode (network activity monitoring) was carried out according to the scheme shown in the figure below, by connecting all the glands to the span ports of the Cisco Catalyst 3750 switch, which mirrored traffic from the organization’s real network.
After three days of working in the network monitoring mode, IPS found the following number of vulnerabilities / attacks (we took into account only High, Medium and Low vulnerabilities, Info vulnerabilities were not taken into account):
• Cisco IPS 4240 - 17 vulnerabilities / attacks;
• IBM Proventia GX4004 - 32 vulnerabilities / attacks;
• StoneGate IPS 1060 - 103 vulnerabilities / attacks.
There are not so many common vulnerabilities / attacks that all pieces of iron could detect:
• ICMP Network Sweep w / Address Mask;
• ICMP Network Sweep w / Timestamp;
• TCP_Port_Scan;
• UDP_Port_Scan;
• ICMP_Subnet_Mask_Request;
• ICMP_Timestamp_Request.
A summary table with a list of all found vulnerabilities / attacks and a breakdown by pieces of iron can be viewed under the spoiler.
Vulnerabilities Found
| Сигнатуры | Cisco IPS 4240 | IBM Proventia GX4004 | Stonegate IPS 1060 |
| ICMP Network Sweep w/Address Mask | + | + | + |
| ICMP Network Sweep w/Timestamp | + | + | + |
| Microsoft Windows CIFS Clientside Buffer Overflow (CVE-2011-0654) | + | - | - |
| SNMP Protocol Violation (CVE-2002-0012, CVE-2002-0013) | + | - | - |
| UPnP LOCATION Overflow | + | - | - |
| Invalid DHCP Packet (CVE-2004-1111) | + | - | - |
| TCP Segment Overwrite | + | - | - |
| DHCP Client DoS (CVE-2008-0084) | + | - | - |
| TCP MSS exceeds maximum | + | - | - |
| SQL Query in HTTP Request (CVE-2005-4643, CVE-2006-0581) | + | - | - |
| Email_Calendar_Code_Exec (CVE-2007-0039) | - | + | - |
| Email_Mime_Filename_Overflow (CVE-1999-0004) | - | + | - |
| Email_Mime_Name_Overflow | - | + | - |
| HTML_UTF8_Overflow (CVE-2006-2382) | - | + | - |
| HTTP_CheckPoint_FW1_FormatString (CVE-2004-0039) | - | + | - |
| Image_JPEG_IE_Component_Overflow (CVE-2005-2308) | - | + | - |
| OTF_Windows_Cmap_Table_Corruption (CVE-2010-3959) | - | + | - |
| PsExec_Service_Accessed | - | + | - |
| PsExec_Installed | - | + | - |
| Script_IE_Improper_Ref_Counting (CVE-2012-4787) | - | + | - |
| SMB_Empty_Password | - | + | - |
| BackOrifice_Ping (CVE-1999-0660) | - | + | - |
| Email_Executable_Extension | - | + | - |
| Flash_NavigateToURL_XSS (CVE-2007-6244) | - | + | - |
| HTTP_Connect_Proxy_Bypass_SMTP | - | + | - |
| HTTP_Field_With_Binary | - | + | - |
| HTTP_Proxy_Cache_Poisoning (CVE-2005-1215) | - | + | - |
| HTTP_URL_repeated_char | - | + | - |
| HTTPS_Proxy_Info_Disclosure (CVE-2005-2830) | - | + | - |
| ICMP_Flood | - | + | - |
| Ping_Sweep | - | + | - |
| Smurf_Attack (CVE-1999-0513) | - | + | - |
| SNMP_Default_Backdoor (CVE-2000-0147) | - | + | - |
| TCP_Port_Scan | + | + | + |
| UDP_Port_Scan | + | + | + |
| DNS_Version_Request | - | + | - |
| HTTP_Authentication | - | + | - |
| HTTP_Microsoft_Error_Report | - | + | - |
| ICMP_Subnet_Mask_Request | + | + | + |
| ICMP_Timestamp_Request | + | + | + |
| ASN.1_Oversize-Block | - | - | + |
| HTTP_CRL-Excessively-Long-Options-Request-Argument (CVE-2010-0361) | - | - | + |
| SMTP_CS-Novell-Groupwise-Client-Img-Tag-Src-Parameter-Buffer-Overflow (CVE-2007-6435) | - | - | + |
| MSRPC-TCP_CPS-Samba-Spoolss-RPC-SmbIoNotifyOptionTypeData-Request-Handling-BOF (CVE-2007-2446) | - | - | + |
| SMB-TCP_Negotiate-Protocol-Smb2-Remote-Code-Execution (CVE-2009-3103) | - | - | + |
| File-OLE_Microsoft-Excel-File-Handling-Code-Execution-Vulnerability (CVE-2008-0081) | - | - | + |
| File-OLE_Microsoft-VBA6-Stack-Memory-Corruption (CVE-2010-0815) | - | - | + |
| File-OLE_Microsoft-WordPad-Text-Converter-CVE-2010-2563 | - | - | + |
| File-OLE_Microsoft-WordPad-Text-Converter-Buffer-Overflow (CVE-2010-1900) | - | - | + |
| File-OLE_Microsoft-Excel-Graphic-Object-Deref-Vulnerability-CVE-2011-0977 | - | - | + |
| File-OLE_Microsoft-Office-Word-Sprmcmajority-Record-Buffer-Overflow | - | - | + |
| File-OLE_Microsoft-Excel-Heap-Overflow-Vulnerability-CVE-2011-0098 | - | - | + |
| File-OLE_Microsoft-Excel-Style-Record-Data-Handling-Code-Execution (CVE-2008-0114) | - | - | + |
| File-OLE_Microsoft-Excel-Merge-Cell-Record-Pointer-CVE-2010-3237 | - | - | + |
| File-OLE_Microsoft-Office-Art-Property-Table-Memory-Corruption (CVE-2008-0114) | - | - | + |
| File-OLE_Microsoft-Office-Drawing-Exception-Handling-CVE-2010-3335 | - | - | + |
| File-OLE_Microsoft-Office-Excel-Table-Record-Parsing-Code-Execution (CVE-2010-3232) | - | - | + |
| File-OLE_Microsoft-Graphics-Rendering-Engine-Thumbnail-Stack-Buffer-Overflow (CVE-2010-3970) | - | - | + |
| File-OLE_Microsoft-Office-Excel-Malformed-Records-Stack-Buffer-Overflow (CVE-2009-0559) | - | - | + |
| File-OLE_Microsoft-Office-Excel-Unexpected-Field-Value-Memory-Corruption (CVE-2009-0560) | - | - | + |
| File-OLE_Microsoft-Excel-Version-Information-Handling-Code-Execution (CVE-2010-0262) | - | - | + |
| File-OLE_Microsoft-Word-File-Information-Memory-Corruption-MS09-068 (CVE-2009-2135) | - | - | + |
| File-OLE_Microsoft-Excel-Conditional-Formatting-Values-Handling-Code-Execution (CVE-2008-0117) | - | - | + |
| File-OLE_Autonomy-Keyview-Excel-File-Sst-Parsing-Integer-Overflow | - | - | + |
| File-OLE_Microsoft-Excel-Frtwrapper-Record-Buffer-Overflow (CVE-2008-3471) | - | - | + |
| File-OLE_Microsoft-Excel-Named-Graph-Record-Parsing-Stack-Overflow (CVE-2007-0215) | - | - | + |
| File-OLE_Microsoft-Office-Excel-Remote-Code-Execution-CVE-2009-3134 | - | - | + |
| File-OLE_Microsoft-Excel-Use-After-Free-WriteAV-Vulnerability (CVE-2011-1986) | - | - | + |
| File-OLE_Microsoft-Excel-Array-Indexing-Vulnerability-CVE-2011-1990 | - | - | + |
| File-OLE_Microsoft-Excel-Conditional-Expression-Parsing-Vulnerability (CVE-2011-1989) | - | - | + |
| File-OLE_Microsoft-Excel-Malformed-Fngroupcount-Value-Code-Execution (CVE-2006-1308) | - | - | + |
| File-OLE_Microsoft-Excel-Sst-Invalid-Length-Use-After-Free (CVE-2012-1887) | - | - | + |
| File-OLE_Microsoft-Excel-Memory-Corruption-CVE-2012-1886 | - | - | + |
| File-Binary_Oracle-Java-Runtime-CMM-Readmabcurvedata-Buffer-Overflow (CVE-2010-0838) | - | - | + |
| File-MPEG_Microsoft-DirectShow-QuickTime-Movie-Parsing-Code-Execution (CVE-2009-1537) | - | - | + |
| File-Binary_IBM-Lotus-Notes-1-2-3-Work-Sheet-File-Viewer-Buffer-Overflow | - | - | + |
| File-Text_Mozilla-Firefox-Multiple-URI-Handlers-Command-Execution (CVE-2007-4041, CVE-2007-3896) | - | - | + |
| File-Binary_Adobe-Reader-Security-Bypass-CVE-2013-0624 | - | - | + |
| File-Text_Microsoft-Internet-Explorer-Object-Reference-Count-Memory-Corruption (CVE-2007-3902) | - | - | + |
| File-Text_Microsoft-Internet-Explorer-Virtual-Function-Table-Memory-Corruption (CVE-2011-2001) | - | - | + |
| File-Text_Microsoft-Internet-Explorer-HTML-Layout-CVE-2012-0011 | - | - | + |
| HTTP_Reply-Chunked-Encoded-Chunk-Unparseable | - | - | + |
| TCP_Segment-Content-Conflict | - | - | + |
| TCP_Window-Shrinked | - | - | + |
| Shared_CS-x86-X41nop-Shellcode | - | - | + |
| Shared_SS-x86-X41nop-Shellcode | - | - | + |
| HTTP_CSU-Potential-Dot-Dot-Slash-Directory-Traversal | - | - | + |
| HTTP_CRL-Microsoft-ASP.NET-ViewState-Denial-Of-Service | - | - | + |
| HTTP_CRL-Php-Quot-Print-Encode-Heap-Buffer-Overflow | - | - | + |
| SMB-TCP_Samba-Authentication-Bypass | - | - | + |
| SMB-TCP_MS-Windows-Print-Spooler-Service-Format-String-Vulnerability (CVE-2010-2563) | - | - | + |
| SNMP-UDP_Default-Community-String-Accepted | - | - | + |
| MSRPC_SS-Sourcefire-Snort-Rule20275eval-Buffer-Overflow | - | - | + |
| File-OLE_Microsoft-Excel-Linked-List-Corruption-Vulnerability-CVE-2011-0979 | - | - | + |
| File-OLE_Microsoft-Excel-Memory-Heap-Overwrite-Vulnerability-CVE-2011-1275 | - | - | + |
| File-OLE_Microsoft-Office-PowerPoint-FB1h-Parsing-BOF-CVE-2010-2572 | - | - | + |
| File-OLE_Microsoft-Office-Excel-SxView-SXStreamID-CVE-2010-1245 | - | - | + |
| File-OLE_Microsoft-Office-Excel-Malformed-Object-Record-Parsing-Code-Execution (CVE-2009-0557) | - | - | + |
| File-OLE_Microsoft-Office-Excel-Malformed-LBL-Record-Memory-Corruption (CVE-2009-0558) | - | - | + |
| File-OLE_Microsoft-Excel-Colinfo-Record-Buffer-Overflow (CVE-2006-3875) | - | - | + |
| File-OLE_OpenOffice-OLE-File-Stream-Buffer-Overflow (CVE-2008-0320) | - | - | + |
| File-OLE_Microsoft-Excel-Malformed-Selection-Record-Code-Execution (CVE-2006-1301) | - | - | + |
| File-OLE_Microsoft-Office-Excel-File-Obj-Record-Memory-Corruption (CVE-2008-4264) | - | - | + |
| File-OLE_Microsoft-PowerPoint-OfficeArt-Shape-RCE-Vulnerability (CVE-2011-3413) | - | - | + |
| File-OLE_Microsoft-Excel-MergeCells-Record-Heap-Overflow-Vulnerability (CVE-2012-0185) | - | - | + |
| File-OLE_Microsoft-Office-Excel-Publisher-Record-Memory-Corruption (CVE-2010-1250) | - | - | + |
| File-Text_x86-X41nop-Shellcode | - | - | + |
| HTTP_Reply-Content-Type-Missing | - | - | + |
| UDP_Checksum-Mismatch | - | - | + |
| E-Mail_IMF-Multipart-Delimiter-Use-Invalid | - | - | + |
| E-Mail_IMF-Base64-Length-Inconsistency | - | - | + |
| IP_Checksum-Mismatch | - | - | + |
| DNS_Client-Name-Bad-Label-Type | - | - | + |
| DNS_Client-Class-Unknown | - | - | + |
| TCP_Segment-SYN-Unexpected | - | - | + |
| TCP_Segment-SYN-ACK-Unexpected | - | - | + |
| E-Mail_IMF-Too-Long-Header | - | - | + |
| E-Mail_IMF-Too-Long-Header-Field | - | - | + |
| POP3_Server-Syntax-Error | - | - | + |
| E-Mail_Message-Syntax-Error | - | - | + |
| E-Mail_Content-Transfer-Encoding-Duplicate | - | - | + |
| SMTP_Unknown-Command | - | - | + |
| HTTP_IIS-Unicode-Encoding | - | - | + |
| HTTP_Version-Varies | - | - | + |
| HTTP_Request-Extra-Data | - | - | + |
| TCP_Segment-SYN-ISN-Mismatch | - | - | + |
| DNS-UDP_Nameserver-Version-Query | - | - | + |
| HTTP_CS-Long-HTTP-Authorization-Negotiate-Token | - | - | + |
| HTTP_CSU-Windows-Style-Absolute-Path-In-URI | - | - | + |
| MSRPC-TCP_CPS-Windows-Local-Security-Authority-Username-Disclosure | - | - | + |
| SNMP-UDP_Linux-Kernel-SNMP-NAT-Helper-SNMP-Decode-DoS-2 | - | - | + |
| SNMP-UDP_Default-Community-String-Rejected | - | - | + |
| File-Binary_Windows-LNK-File-Transfer | - | - | + |
| HTTP_SHS-HTTP-0.9-Response-After-HTTP-1.0-Request | - | - | + |
| HTTP_SHS-Content-After-Zero-Content-Length | - | - | + |
| File-PNG_Conflicting-Content-Type-Text | - | - | + |
| File-PNG_Conflicting-Content-Type-Text-Plain | - | - | + |
It is worth noting that IPS in monitoring mode can not only detect attacks, but also find vulnerable services and applications on the network, for example, use the default settings of the SNMP community, use empty passwords, and non-updated software.
IPS Operation
Testing of the hardware platforms of the intrusion detection systems in IPS mode (monitoring network activity and blocking malicious traffic) was carried out according to the scheme shown in the figure below, by switching on all the hardware platforms in Inline mode (in the gap) between the Attacking Workstation and the Victims (servers). Microsoft Windows 2003 R2 OS and the following application software were installed on the Victims:
• Oracle express 10g;
• MySQL 5.2;
• Apache 2.2.26;
• WEB IIS 6 / FTP ISS 6;
• Filezilla FTP Server 0.9.41 beta;
• TFTPD 32 4.0;
• MSSQL Express 2005.
From the attacker's workstation, Nessus scanned the victims using the Nessus security scanner and determined the list of vulnerable services running on them. After scanning, attempts were made to exploit vulnerabilities (launch exploits) on the Victims using the Metasploit Framework exploit pack.
The following is a summary table of the IPS response to attacks:
It can be seen that IPS with default settings are not able to block all attacks, even those using not the latest vulnerabilities. Therefore, it is strongly recommended to configure the piece of iron specifically for your needs and services.
"Very conditional" load testing
This testing was carried out using the hping3 utility (you can read about the utility here ) from the Backtrack 5 R3 distribution kit. The purpose of the testing was to check the IPS "resistance" to flood attacks, i.e. we did not try to compare the performance of devices, but only examined their response to overload.
Description of the stand:
IPS was installed in the gap between the attacking node (Backtrack 5 R3 OS) and the victim node (Windows Server 2003 R2 OS). The hping3 utility was launched within 5 minutes with the “--flood” parameter, this key allows you to use the maximum possible packet generation speed.
Command example:
hping3 ip_address --floodBelow is a summary table with the results:
As we can see, none of the IPS systems (at the default settings) was able to protect the node from a flood attack. Cisco and IBM in the logs issued alerts and did not try to block the attack, StoneGate began to block connections, but went to reboot, and the attack on the victim successfully continued. This is due to the fact that the default mode of operation of inline interfaces is set to fail-open, i.e. all traffic flows freely between interfaces without inspection in the event of a hardware platform failure.
Conclusion
If you decide to install IPS in order to really protect your users or some important services from external threats and be aware of what is happening on your network, then we recommend fine-tuning the hardware. A properly tuned IPS can close a very large number of security holes, even if it is already old and weak. And on the default settings, none of the manufacturers showed results that could be called "impressive".
Thank you all for your attention!
Glebov Maxim, Selishchev Ivan