Replies

Products that aim to do this much are total BS.

Smoke, mirrors.

Security companies sell products based on how much they can scare their customers.

I work in the IT security industry, and can tell you first hand that most "experts" are complete imbeciles.

Example from this article:

"MARS correlates the data into a visualization of the attack, identifies where action can be taken to cut the attack off before it spreads, and, via protocols like SNMP and Telnet, will even issue the necessary management or reconfiguration commands to automate those actions."

SNMP and Telnet are both plaintext protocols, which means that they are not encrypted and can be easily intercepted on the wire.

If you use Telnet to control a device, an attacker would only have to monitor both the MARS master node and telnet controlled devices local network segments, and then capture the authentication information on the wire. Game over, intruder can login to the device and it will look for all intents and purposes like a normal user login.

Similarly, SNMP is a plaintext protocol whose "community string" is it's password. Later versions use MD5 hash, but that can be captured and replayed. SNMP is ok for retreiving performance statistics from devices with the correct controls in place, but using SNMP in "private" mode to control devices is very dangerous, which whould be necessary to accomplish what the article suggests.

Also, many of these automated "intrusion prevention systems" which are becoming en vogue are easily defeated. If the attacker can determine how the system works, they can issue attack commands that will have the victim purposefully make their own internet connection or particular hosts unavailable in response to an attack that wasn't designed to penetrate, just to force the system to disable or limit access to key nodes from valid users. One old such system is a program which monitors for port scans, and upon detecting one, can blackhole the source of the scan from the hosts routing table, protecting it from further attacks. Of course, if an attacker can determine that their target is using this program, they could "spoof" the source address of the port scan attack, making the host then ignore it's dns server, outgoing internet gateway, or other important hosts, thus Denial of Service attacking it's self using the rules configured by the administrator.

"Self learn mode..." Ha ha ha ha. Intrusion testers eat this stuff for lunch, as do miscreant hackers.