Security Bugs Sent to the Sandbox
A researcher at the upcoming Black Hat conference will suggest a new whitelisting method that creates a 'sandbox' for uninvited traffic
July 24, 2006
What if your network security tools just denied all incoming traffic up front, rather than attempting to filter out known threats?
That's essentially what the Statue of Liberty security project does. The project's "whitelisting" approach sends everything initially to a honeypot, or sandbox system, and sorts it by what's allowed, instead of what's not. Philip Trainor, the researcher who wrote the code, will demonstrate it during his presentation at next week's Black Hat conference in Las Vegas.
"There is no such thing as a secure system," Trainor says. "And most organizations have no plan for when a breach takes place."
Statue of Liberty's whitelisting approach differs from the blacklisting tactic used by most of today's antivirus and intrusion detection/prevention systems. "Instead of worrying about tens of thousands of exploits, it's allowing only things we've accepted into it," says Trainor, a network security engineer for Imperfect Networks. He built this model independently as part of his own research.
Trainor says he'll release his code as open source and hopes to expand on the project with input from other researchers. "I plan to release all code and configuration files associated with this project in the spirit of open source," Trainor says. "An open source project can only benefit from the large pool of contributions from the community."
It doesn't replace blacklisting, however. Trainor ultimately envisions the technology as an enhancement to today's IPS systems, which can be easily bypassed by a new or stealthy attack in a security architecture. (See IDS/IPS: Too Many Holes?) "This could be a potential addition to IPS systems, but not a replacement," he says. "IPS is a very necessary piece of network security today, but it has a lot of room to grow. It's really a developing technology."
There are two ways to deploy the Statue of Liberty technology, Trainor says. "One solution is to incorporate active honeypots into a public network to host potentially malicious events," he says, as well as within an internal IPS system that by default denies traffic and temporarily places it in a trusted zone.
In Trainor's new environment, a Statue of Liberty box (a Linux-based server) sits behind the in-line IPS and firewall and adds another layer of scrutiny. It works a bit like a load balancer to direct traffic. An HTTP "get" request, for instance, would be classified as a "white request" and get pushed to the HTTP server. But an HTTP "post" or "delete" request on a page that wasn't expecting these types of actions would be labeled as a "black request" and would go to the virtual server (a closed sandbox) for analysis. The idea is to also learn about these potential attacks to improve security, Trainor says.
Trainor hopes to demo three attack scenarios within the Statue of Liberty project: Non-malicious but never-seen-before traffic, which goes to the honeypot; an attack the IPS did not stop; and a malicious attack that's never been seen before, which then crashes the honeypot when it's quarantined there. He'll run VMWare along with the HoneyNet Project's honeypot technology, he says.
Statue of Liberty is a way to keep up with, or even get ahead of, new attack modes, which today's IPS systems don't do well. "An IPS has signature sets that are days/weeks/months old," Trainor says.
Trainor's main message: Be prepared. "I'm suggesting that companies have a risk management plan for being breached."
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author
You May Also Like