Re: Deep Inspection Firewall / IPS

[Adriel Desautels <adriel () netragard com>]

Tony,
        ModSecurity reverse proxy or Bluecoat.


On Oct 29, 2008, at 9:15 AM, Tony Raboza wrote:

> Hi,
>
> I'm trying to get my company to buy a firewall with deep-inspection
> capabilities or IPS.  From my research what is really needed is a deep
> inspection firewall/IPS - because a stateful packet inspection will
> not do.
>
> For example for a web server - you close off all the ports except port
> 80 /443 (http/https).  But threats/malware can come in through port 80
> disguising itself as normal http traffic, so we need a firewall which
> would inspect this - hence the need for deep packet inspection/IPS.
>
> But what if we also do NAT?  Can malware still come in through port  
> 80?
>
> I've been reading this - "Red Hat 8 Compromise" -
> http://honeyblog.org/junkyard/reports/redhat-compromise.pdf , but my
> thought on this one is that if the honeypot RH8 was NATted could the
> attacker have opened up a shell which might either be port 22 (ssh) or
> 23 (telnet)?  What if only port 80/443 was port-forwarded?  Can the
> attacker open up a shell?
>
> Questions:
> 1.  Am I correct in my statements above?
> 2.  If I am correct - can you give me real-world examples of exploits
> that come in through port 80/port 443 which can compromise a
> Unix/Linux webserver as well as a Windows web server?
>
>
> Thanks,
> Tony

--

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

------------------------------------------------
Netragard, LLC - "The Specialist in Anti-Hacking"

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn