Cisco Cisco IPS 4255 Sensor Libro bianco
White Paper
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 6
simple encoding variations make it impossible for an exploit-focused detection system to discover
encoded attacks. The only choice of action for an exploit-focused system in this situation is to
choose to cover certain known exploits and those generated using specific test tools. At best, this
provides some protection against unsophisticated attackers and acceptable results in test tool-
based evaluations. In reality, this provides a false sense of security and places your network at
high risk from attack.
Exploit-focused detection methods also suffer from a need for frequent updates. Since new
signatures must be created for every new exploit that is discovered, frequent updates are a
necessity to maintain up-to-date protection, a process that creates additional overhead and
disruption for users. This also increases the signature count, creating additional space and
processing requirements on the IPS itself.
Vulnerability-Focused Detection: The New Generation of IPS Technology
Rather than focusing on the unbounded problem of discovering, cataloging and writing signatures
for new exploits, vulnerability-focused detection systems focus on protecting the vulnerabilities that
criminals are attempting to exploit (see definitions sidebar). This approach is much more complex
and requires detection techniques that can look for indications that a transaction may actually be
attempting to exploit a known (or potentially unknown) vulnerability.
Although the vulnerability-focused approach is more difficult to implement, it provides vastly better
protection than exploit-based methods. The greatest advantage is that since a vulnerability-
focused signature is designed to look for exploitation of a specific vulnerability, any potential
exploit or exploit variant will trigger the signature, be it a test tool, known attack, obfuscated exploit,
or entirely new (day-zero) attack.
Vulnerability-focused signatures not only detect day-zero attacks, but can also catch day-zero
vulnerabilities in some instances. An example of this is a signature 5477.2 for Cisco IPS. This
single signature detects 38 different exploits and vulnerabilities accessible through Microsoft
Internet Explorer, including a large number of ActiveX vulnerabilities and associated exploits. As
another example, signature 5813 for the Microsoft Internet Explorer VML vulnerability protects
against 19 different verified exploits.
Table 1 shows the exploits and vulnerabilities that a single vulnerability-focused signature can
cover.
Table 1.
Single Vulnerability-Focused Signature Covers 38 Verified Exploits and Vulnerabilities
Cisco IPS Signature 5477-2: Possible Heap Payload Construction
Vulnerabilities
Public Exploits
Non-Public Exploits and Tools
Microsoft Internet Explorer
window Arbitrary Code Execution
Vulnerability
window Arbitrary Code Execution
Vulnerability
[Metasploit] mozilla_compareto v1.3
[Non-Public] IE MS06-42 Patch Exploit
CVE-2006-1359 MS April—
Cumulative Security Update for
Internet Explorer
Cumulative Security Update for
Internet Explorer
[Metasploit 2.5] mozilla_compareto 1.3
[Non-Public] MS Internet Explorer 6/7
(XML Core Services) Remote Code
Exec Exploit 3
(XML Core Services) Remote Code
Exec Exploit 3
MS06-071—Microsoft XML Core
Service XMLHTTP ActiveX
Control Remote Code Execution
Vulnerability
Service XMLHTTP ActiveX
Control Remote Code Execution
Vulnerability
[Metasploit] Mozilla Firefox Memory corruption
via QueryInterface on Location, Navigator
objects
via QueryInterface on Location, Navigator
objects
[Non-Public] IE XML HTTP Exploit
CVE-2007-0024 [MS07-004]
Vulnerability in Vector Markup
Language Could Allow Remote
Code Execution
Vulnerability in Vector Markup
Language Could Allow Remote
Code Execution
[Metasploit] ie_createtextrange v1.4
[Non-Public]: Firefox and Mozilla
compareTo
compareTo