Solved: Re: IPS Detects SQL Injection over HTTPS

learnsec · ‎04-18-2011

hello

Do you think Cisco IPS is able to detect SQL Injection over HTTPS?

Dustin Ralich · ‎05-24-2011

"In certain situations, it may be possible to detect and prevent SQL injection attacks using an Intrusion Prevention System (IPS). For an IPS to be effective, it must have visibility into the traffic of the application. For applications that use end-to-end encryption with HTTPS (for example, applications that use HTTPS without termination or acceleration at an intermediate network device), an IPS cannot identify traffic with characteristics of a SQL injection attack." per:

Understanding SQL Injection

View solution in original post

Dustin Ralich · ‎06-30-2011

Thanks again Dustin

You're welcome.

Can you explain then why if you surf through out the internet comapring between an IPS and a Web Application Firewall (WAF) you do not stop hearing that WAF is for layer 7 Attacks that IPS Cant detect.

I personally do not work with dedicated Web Application Firewalls so I cannot speak to their effectiveness, etc. My understanding is that they control input, output, and/or access from, to, or by an application or service by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the WAF. As such, I assume they can be used for enforcing policy compliance and for additional control for specific applications (example: controlling what script can be accessed or what content-type can be transferred, etc.). An IPS device is not designed to provide that type of application-specific control; it is designed to detect/block specific threats [applicable to the application in this comparison].

WAF Example: Detecting and blocking attempts to access script.php on your Apache web server (due to the WAF policy configuration).

IPS Example: Detecting and blocking attempts to exploit a known vulnerability with the version of Apache software running on your web server (due to an enabled IPS signature definition for that threat).

There is probably some overlap between the two (2) types of devices (example: you could possibly configure a WAF to detect/block a particular threat given time and technical expertise; likewise, you could probably create a custom signature on an IPS device to provide some form of limited control such as blocking attempts to access a specific script). But doing so is probably a lot less efficient, more difficult, etc. and is probably subject to limitations for each type of device.

So WAF has at least two known advantages compared to IPS, wich are:

- WAF can Detect Attacks hidden behind a HTTPS traffic (through SSL offloading i guess)

So can an IPS device (if the HTTPS is terminated or accelerated at an intermediate network device and the IPS device is inspecting the unencrypted traffic between the backend HTTP server and the frontend HTTPS accelarator/server), per my original reply.

- IPS can detect only up to layer 4 attacks only.

This is simply incorrect, per my last reply.

View solution in original post

gaurash2 · ‎04-20-2011

My answer would be NO as cisco does not have the SSL decryption capability yet.

learnsec · ‎04-21-2011

then if Cisco IPS is not enough to

inspect SSL Traffic, what is the suitable way to amelliorate the security for a large

size company ?

learnsec · ‎05-20-2011

any help

Dustin Ralich · ‎05-24-2011

"In certain situations, it may be possible to detect and prevent SQL injection attacks using an Intrusion Prevention System (IPS). For an IPS to be effective, it must have visibility into the traffic of the application. For applications that use end-to-end encryption with HTTPS (for example, applications that use HTTPS without termination or acceleration at an intermediate network device), an IPS cannot identify traffic with characteristics of a SQL injection attack." per:

Understanding SQL Injection

learnsec · ‎06-20-2011

Thanks, but this lead me to ask you:

an IPS itself is configured and installed in the network, normally, as a layer 2 device.

but it is know that IPS can detect malicous traffic, attacks, vulnerabilities,.. up to layer 4 right?

but what i am not understanding is that when we find the IPS is detecting SQL injection over http, or vulnerabilities of IIS, or Internet Explorer, or microsoft power point, or ... doesn't all that a layer 7 traffic detected? so why IPS is known to be as layer 4 device only?

i hope you can explicitly explain this issue,

regards,

Dustin Ralich · ‎06-21-2011

"A Cisco IPS solution protects the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic at Layers 2 through 7."

"At the core of Cisco IPS solutions are numerous methods for the inspection and analysis of traffic in Layers 2 through 7."

Both quotes per Cisco Intrusion Prevention System Solutions.

learnsec · ‎06-28-2011

Thanks again Dustin,

Can you explain then why if you surf through out the internet comapring between an IPS and a Web Application Firewall (WAF) you do not stop hearing that WAF is for layer 7 Attacks that IPS Cant detect.

So WAF has at least two known advantages compared to IPS, wich are:

- WAF can Detect Attacks hidden behind a HTTPS traffic (through SSL offloading i guess)

- Attacks layer 7 will be detected, IPS can detect only up to layer 4 attacks only.

Regards,

Dustin Ralich · ‎06-30-2011

Thanks again Dustin

You're welcome.

Can you explain then why if you surf through out the internet comapring between an IPS and a Web Application Firewall (WAF) you do not stop hearing that WAF is for layer 7 Attacks that IPS Cant detect.

I personally do not work with dedicated Web Application Firewalls so I cannot speak to their effectiveness, etc. My understanding is that they control input, output, and/or access from, to, or by an application or service by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the WAF. As such, I assume they can be used for enforcing policy compliance and for additional control for specific applications (example: controlling what script can be accessed or what content-type can be transferred, etc.). An IPS device is not designed to provide that type of application-specific control; it is designed to detect/block specific threats [applicable to the application in this comparison].

WAF Example: Detecting and blocking attempts to access script.php on your Apache web server (due to the WAF policy configuration).

IPS Example: Detecting and blocking attempts to exploit a known vulnerability with the version of Apache software running on your web server (due to an enabled IPS signature definition for that threat).

There is probably some overlap between the two (2) types of devices (example: you could possibly configure a WAF to detect/block a particular threat given time and technical expertise; likewise, you could probably create a custom signature on an IPS device to provide some form of limited control such as blocking attempts to access a specific script). But doing so is probably a lot less efficient, more difficult, etc. and is probably subject to limitations for each type of device.

So WAF has at least two known advantages compared to IPS, wich are:

- WAF can Detect Attacks hidden behind a HTTPS traffic (through SSL offloading i guess)

So can an IPS device (if the HTTPS is terminated or accelerated at an intermediate network device and the IPS device is inspecting the unencrypted traffic between the backend HTTP server and the frontend HTTPS accelarator/server), per my original reply.

- IPS can detect only up to layer 4 attacks only.

This is simply incorrect, per my last reply.

learnsec · ‎07-05-2011

thanks for the explanation,