Friday, July 23, 2004

A Different Take on Intrusion Prevention Systems

Today while perusing the SANS Incident Handler's Diary, I noticed the "Handler On Duty" was Tom Liston, and his Web site was listed as LaBrea Technologies. I remembered Tom from his July 2001 post to the intrusions@incidents.org mailing list. There he theorized on the idea for his LaBrea "tarpit," code to trap malware visiting non-existent local IPs using various TCP tricks. Fearing DMCA, Tom no longer hosts LaBrea at his site, but it's available in the FreeBSD ports tree as security/labrea, and elsewhere.

A visit to LaBrea Technologies shows Tom is working on the "LaBrea Sentry IPS - Next Generation Intrusion Prevention System." From Tom's description:

"LaBrea Sentry connects to the local network and monitors attempts to access unused IP addresses. Once such attempts are detected, the LaBrea Sentry creates virtual machines to emulate an active server on the unused IP address, executes countermeasures defined by the user, logs the activity, and coordinates with LaBrea Central to proactively block known scanners.

LaBrea Central compiles and analyzes data from all LaBrea units, generating a global 'Bad Guy List,' providing proactive protection from known hostile sources."

A check at archive.org shows references to this product from at least April 2003, so Tom's been working on it for a while. This sort of product reminds me of a sort of passive-aggressive honeyd. I'd be interested in seeing what comes out of this work.

Keep in mind that an "intrusion prevention system" as currently implemented by vendors is simply an access control device with visibility of layer 7 traffic. Vendors like TippingPoint, Intruvert (now part of NAI), and others knew they would be crushed by the firewall giants of the early 2000's if these start-ups competed as "improved firewalls." Instead, TippingPoint and others followed MBA strategy 101 and defined a "new market" for "Intrusion Prevention Systems." The firewall market took a while to catch on to the layer 7 inspection and denial routine, but by late 2002 vendors like Netscreen and Checkpoint were waking up. Marty Roesch participated in threads on focus-ids and snort-users that validate my viewpoint.

LaBrea is different in that it doesn't operate at layer 7, inspecting and then dropping traffic presumed to be malicious. Rather, it watches unused IP addresses and then interacts with malware attempting to connect to services which could be offered by those nonexistent hosts. An intrusion is "prevented" because the malware gets "stuck" in the tarpit prior to exploiting a live host -- maybe. It depends on a lot on luck, because the real target might get hit before the tarpit.

No comments: