Startup touts the Terminator of security appliances

zdnet ^ | September 5, 2003 | David Berlind

[HuntsvilleTxVeteran]

Startup touts the Terminator of security appliances By David Berlind, Tech Update September 5, 2003 3:57 PM PT

Here's something you don't see too often. A product--in fact, an entire company--launching two months ahead of schedule. Although it was originally scheduled to emerge from the startup shadows on November 15, Milpitas, CA-based Protego Networks will officially open its doors earlier than planned after a bit of word-of-mouth advertising sparked some unexpected demand for its MARS line of security appliances.

"Without naming names, we have several government organizations telling us that they need the product now," Chris Blask, Protego's business development vice president, told me. "So we moved the company launch and the FCS (first customer ship) date up to September 15."

MARS stands for Mitigation and Response System. If the product works as Blask describes, it could use a name that more accurately communicates its function--real-time threat detection and quarantining. The tool appears to be the sort of "Terminator" that network managers were looking for as they wrangled with MSBlaster and Sobig.F during the last few weeks.

Like other security information management (SIM) offerings from companies such as NetForensics and Network Intelligence, MARS understands both proprietary and open management protocols and can aggregate data from a multitude of network sources, including routers, switches, bridges, intrusion detection systems (IDS), and firewalls -, and assimilate that information into a snapshot of the havoc that an intrusion is wreaking. "This sort of functionality, where a system says 'your network was torn to pieces and I can tell you why' is rather commonplace these days," says Blask. "Anybody can do that, so we had to go beyond diagnosis, with something that takes action."

[HuntsvilleTxVeteran]

Sounds good

[sigSEGV]

So how secure is this device that has full control over my network? Sounds like a bunch of BS.

[adam_az]

Products that aim to do this much are total BS.

Smoke, mirrors.

Security companies sell products based on how much they can scare their customers.

I work in the IT security industry, and can tell you first hand that most "experts" are complete imbeciles.

Example from this article:

"MARS correlates the data into a visualization of the attack, identifies where action can be taken to cut the attack off before it spreads, and, via protocols like SNMP and Telnet, will even issue the necessary management or reconfiguration commands to automate those actions."

SNMP and Telnet are both plaintext protocols, which means that they are not encrypted and can be easily intercepted on the wire.

If you use Telnet to control a device, an attacker would only have to monitor both the MARS master node and telnet controlled devices local network segments, and then capture the authentication information on the wire. Game over, intruder can login to the device and it will look for all intents and purposes like a normal user login.

Similarly, SNMP is a plaintext protocol whose "community string" is it's password. Later versions use MD5 hash, but that can be captured and replayed. SNMP is ok for retreiving performance statistics from devices with the correct controls in place, but using SNMP in "private" mode to control devices is very dangerous, which whould be necessary to accomplish what the article suggests.

Also, many of these automated "intrusion prevention systems" which are becoming en vogue are easily defeated. If the attacker can determine how the system works, they can issue attack commands that will have the victim purposefully make their own internet connection or particular hosts unavailable in response to an attack that wasn't designed to penetrate, just to force the system to disable or limit access to key nodes from valid users. One old such system is a program which monitors for port scans, and upon detecting one, can blackhole the source of the scan from the hosts routing table, protecting it from further attacks. Of course, if an attacker can determine that their target is using this program, they could "spoof" the source address of the port scan attack, making the host then ignore it's dns server, outgoing internet gateway, or other important hosts, thus Denial of Service attacking it's self using the rules configured by the administrator.

"Self learn mode..." Ha ha ha ha. Intrusion testers eat this stuff for lunch, as do miscreant hackers.