topic IPS Detects SQL Injection over HTTPS in Network Security

IPS Detects SQL Injection over HTTPS

learnsec — Sun, 10 Mar 2019 12:20:03 GMT

hello

Do you think Cisco IPS is able to detect SQL Injection over HTTPS?

Re: IPS Detects SQL Inhection over HTTPS

gaurash2 — Thu, 21 Apr 2011 05:52:12 GMT

My answer would be NO as cisco does not have the SSL decryption capability yet.

Re: IPS Detects SQL Inhection over HTTPS

learnsec — Thu, 21 Apr 2011 08:36:22 GMT

then if Cisco IPS is not enough to

inspect SSL Traffic, what is the suitable way to amelliorate the security for a large

size company ?

Re: IPS Detects SQL Inhection over HTTPS

learnsec — Fri, 20 May 2011 08:35:55 GMT

any help

Re: IPS Detects SQL Injection over HTTPS

Dustin Ralich — Tue, 24 May 2011 13:35:42 GMT

"In certain situations, it may be possible to detect and prevent SQL injection attacks using an Intrusion Prevention System (IPS). For an IPS to be effective, it must have visibility into the traffic of the application. For applications that use end-to-end encryption with HTTPS (for example, applications that use HTTPS without termination or acceleration at an intermediate network device), an IPS cannot identify traffic with characteristics of a SQL injection attack." per:

Understanding SQL Injection

Re: IPS Detects SQL Injection over HTTPS

learnsec — Tue, 21 Jun 2011 06:32:00 GMT

Thanks, but this lead me to ask you:

an IPS itself is configured and installed in the network, normally, as a layer 2 device.

but it is know that IPS can detect malicous traffic, attacks, vulnerabilities,.. up to layer 4 right?

but what i am not understanding is that when we find the IPS is detecting SQL injection over http, or vulnerabilities of IIS, or Internet Explorer, or microsoft power point, or ... doesn't all that a layer 7 traffic detected? so why IPS is known to be as layer 4 device only?

i hope you can explicitly explain this issue,

regards,

Re: IPS Detects SQL Injection over HTTPS

Dustin Ralich — Tue, 21 Jun 2011 13:50:44 GMT

"A Cisco IPS solution protects the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic at Layers 2 through 7."

"At the core of Cisco IPS solutions are numerous methods for the inspection and analysis of traffic in Layers 2 through 7."

Both quotes per Cisco Intrusion Prevention System Solutions.

Re: IPS Detects SQL Injection over HTTPS

learnsec — Tue, 28 Jun 2011 07:05:13 GMT

Thanks again Dustin,

Can you explain then why if you surf through out the internet comapring between an IPS and a Web Application Firewall (WAF) you do not stop hearing that WAF is for layer 7 Attacks that IPS Cant detect.

So WAF has at least two known advantages compared to IPS, wich are:

- WAF can Detect Attacks hidden behind a HTTPS traffic (through SSL offloading i guess)

- Attacks layer 7 will be detected, IPS can detect only up to layer 4 attacks only.

Regards,

Re: IPS Detects SQL Injection over HTTPS

Dustin Ralich — Thu, 30 Jun 2011 16:56:50 GMT

Thanks again Dustin

You're welcome.

Can you explain then why if you surf through out the internet comapring between an IPS and a Web Application Firewall (WAF) you do not stop hearing that WAF is for layer 7 Attacks that IPS Cant detect.

I personally do not work with dedicated Web Application Firewalls so I cannot speak to their effectiveness, etc. My understanding is that they control input, output, and/or access from, to, or by an application or service by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the WAF. As such, I assume they can be used for enforcing policy compliance and for additional control for specific applications (example: controlling what script can be accessed or what content-type can be transferred, etc.). An IPS device is not designed to provide that type of application-specific control; it is designed to detect/block specific threats [applicable to the application in this comparison].

WAF Example: Detecting and blocking attempts to access script.php on your Apache web server (due to the WAF policy configuration).

IPS Example: Detecting and blocking attempts to exploit a known vulnerability with the version of Apache software running on your web server (due to an enabled IPS signature definition for that threat).

There is probably some overlap between the two (2) types of devices (example: you could possibly configure a WAF to detect/block a particular threat given time and technical expertise; likewise, you could probably create a custom signature on an IPS device to provide some form of limited control such as blocking attempts to access a specific script). But doing so is probably a lot less efficient, more difficult, etc. and is probably subject to limitations for each type of device.

So WAF has at least two known advantages compared to IPS, wich are:

- WAF can Detect Attacks hidden behind a HTTPS traffic (through SSL offloading i guess)

So can an IPS device (if the HTTPS is terminated or accelerated at an intermediate network device and the IPS device is inspecting the unencrypted traffic between the backend HTTP server and the frontend HTTPS accelarator/server), per my original reply.

- IPS can detect only up to layer 4 attacks only.

This is simply incorrect, per my last reply.

Re: IPS Detects SQL Injection over HTTPS

learnsec — Tue, 05 Jul 2011 07:15:33 GMT

thanks for the explanation,