Cisco Adaptive Security Appliance goes beyond blocking ports. Is that a Microsoft-only defense?

Discussion in 'Cisco' started by Ramon F Herrera, Mar 2, 2007.

  1. I recently installed my first Cisco ASA-5500 security box. It is a
    very impressive piece of equipment, with a bewildering array of
    capabilities. The feature that find most intriguing is that it goes
    above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    inspecting whether a message or packet contains a virus or other
    malware.

    What I would like to clarify, because is a matter of dispute among
    some colleagues, is exactly what applications and operating systems
    are being inspected. My buddies claim (more like a wild or hopeful
    guess) that not only is port 1521 of an Oracle server blocked but the
    ASA knows about Oracle exploits, and similarly it can check for
    weaknesses on behalf of Linux or other Unixes. I find that very hard
    to believe, and my counterclaim is that only Windows or other
    Microsoft products have reached a level of disseminated infections to
    grant the depth of attention by the security software.

    Comments?

    -Ramon F Herrera
    Ramon F Herrera, Mar 2, 2007
    #1
    1. Advertising

  2. Ramon F Herrera

    joel garry Guest

    On Mar 2, 12:20 pm, "Ramon F Herrera" <> wrote:
    > I recently installed my first Cisco ASA-5500 security box. It is a
    > very impressive piece of equipment, with a bewildering array of
    > capabilities. The feature that find most intriguing is that it goes
    > above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    > inspecting whether a message or packet contains a virus or other
    > malware.
    >
    > What I would like to clarify, because is a matter of dispute among
    > some colleagues, is exactly what applications and operating systems
    > are being inspected. My buddies claim (more like a wild or hopeful
    > guess) that not only is port 1521 of an Oracle server blocked but the
    > ASA knows about Oracle exploits, and similarly it can check for
    > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > to believe, and my counterclaim is that only Windows or other
    > Microsoft products have reached a level of disseminated infections to
    > grant the depth of attention by the security software.
    >
    > Comments?
    >
    > -Ramon F Herrera


    Looking at the data sheets, it just looks like it uses typical trend
    micro stuff to look for malware. If they can point to something that
    specifically mentions Oracle, let us know.

    Most of us don't even use port 1521 anymore.

    Be afraid:
    http://www.securiteam.com/securitynews/6N00D1FEKE.html
    http://www.cisco.com/en/US/products/products_security_advisory09186a00806e9b6f.shtml

    Hey, maybe that means they do know what to look for!

    jg
    --
    @home.com is bogus.
    Burn me once, shame on you. Burn me twice, shame on me. Burn me
    enough times you have to reformat the output for number of times
    burnt, shame on Microsoft!
    joel garry, Mar 2, 2007
    #2
    1. Advertising

  3. Ramon F Herrera

    hpuxrac Guest

    On Mar 2, 3:20 pm, "Ramon F Herrera" <> wrote:
    > I recently installed my first Cisco ASA-5500 security box. It is a
    > very impressive piece of equipment, with a bewildering array of
    > capabilities. The feature that find most intriguing is that it goes
    > above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    > inspecting whether a message or packet contains a virus or other
    > malware.
    >
    > What I would like to clarify, because is a matter of dispute among
    > some colleagues, is exactly what applications and operating systems
    > are being inspected. My buddies claim (more like a wild or hopeful
    > guess) that not only is port 1521 of an Oracle server blocked but the
    > ASA knows about Oracle exploits, and similarly it can check for
    > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > to believe, and my counterclaim is that only Windows or other
    > Microsoft products have reached a level of disseminated infections to
    > grant the depth of attention by the security software.
    >
    > Comments?
    >
    > -Ramon F Herrera


    Why don't you test it out?

    That starts by constructing a test case and determine how this device
    allows/prevents/alerts ...
    hpuxrac, Mar 3, 2007
    #3
  4. On Mar 2, 5:29 pm, "joel garry" <> wrote:
    > On Mar 2, 12:20 pm, "Ramon F Herrera" <> wrote:
    >
    >
    >
    > > I recently installed my first Cisco ASA-5500 security box. It is a
    > > very impressive piece of equipment, with a bewildering array of
    > > capabilities. The feature that find most intriguing is that it goes
    > > above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    > > inspecting whether a message or packet contains a virus or other
    > > malware.

    >
    > > What I would like to clarify, because is a matter of dispute among
    > > some colleagues, is exactly what applications and operating systems
    > > are being inspected. My buddies claim (more like a wild or hopeful
    > > guess) that not only is port 1521 of an Oracle server blocked but the
    > > ASA knows about Oracle exploits, and similarly it can check for
    > > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > > to believe, and my counterclaim is that only Windows or other
    > > Microsoft products have reached a level of disseminated infections to
    > > grant the depth of attention by the security software.

    >
    > > Comments?

    >
    > > -Ramon F Herrera

    >
    > Looking at the data sheets, it just looks like it uses typical trend
    > micro stuff to look for malware. If they can point to something that
    > specifically mentions Oracle, let us know.
    >
    > Most of us don't even use port 1521 anymore.
    >


    Please clarify. Are you claiming that most folks are simply using
    another port different from 1521 in hopes of confusing the attackers
    (due respect, but that would be a rather poor defense) or are they
    using a non-TCP mechanism to communicate with the server?

    -Ramon
    Ramon F Herrera, Mar 3, 2007
    #4
  5. On Mar 2, 6:42 pm, "hpuxrac" <> wrote:
    > On Mar 2, 3:20 pm, "Ramon F Herrera" <> wrote:
    >
    >
    >
    > > I recently installed my first Cisco ASA-5500 security box. It is a
    > > very impressive piece of equipment, with a bewildering array of
    > > capabilities. The feature that find most intriguing is that it goes
    > > above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    > > inspecting whether a message or packet contains a virus or other
    > > malware.

    >
    > > What I would like to clarify, because is a matter of dispute among
    > > some colleagues, is exactly what applications and operating systems
    > > are being inspected. My buddies claim (more like a wild or hopeful
    > > guess) that not only is port 1521 of an Oracle server blocked but the
    > > ASA knows about Oracle exploits, and similarly it can check for
    > > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > > to believe, and my counterclaim is that only Windows or other
    > > Microsoft products have reached a level of disseminated infections to
    > > grant the depth of attention by the security software.

    >
    > > Comments?

    >
    > > -Ramon F Herrera

    >
    > Why don't you test it out?
    >
    > That starts by constructing a test case and determine how this device
    > allows/prevents/alerts ...


    I would have to open port 1521 in my firewall to see if I can
    compromise it remotely. Then try to break into my Linux machines, and
    similarly for the Macs. I simply don't have the resources. It would be
    so much simple if Cisco published it explicitly: "all the anti-malware
    tools we have is for Microsoft products".

    -Ramon
    Ramon F Herrera, Mar 3, 2007
    #5
  6. Ramon F Herrera

    joel garry Guest

    On Mar 2, 4:49 pm, "Ramon F Herrera" <> wrote:
    > On Mar 2, 5:29 pm, "joel garry" <> wrote:
    >
    >
    >
    >
    >
    > > On Mar 2, 12:20 pm, "Ramon F Herrera" <> wrote:

    >
    > > > I recently installed my first Cisco ASA-5500 security box. It is a
    > > > very impressive piece of equipment, with a bewildering array of
    > > > capabilities. The feature that find most intriguing is that it goes
    > > > above (in the ISO/OSI sense) the IP, TCP and UDP layers, presumably
    > > > inspecting whether a message or packet contains a virus or other
    > > > malware.

    >
    > > > What I would like to clarify, because is a matter of dispute among
    > > > some colleagues, is exactly what applications and operating systems
    > > > are being inspected. My buddies claim (more like a wild or hopeful
    > > > guess) that not only is port 1521 of an Oracle server blocked but the
    > > > ASA knows about Oracle exploits, and similarly it can check for
    > > > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > > > to believe, and my counterclaim is that only Windows or other
    > > > Microsoft products have reached a level of disseminated infections to
    > > > grant the depth of attention by the security software.

    >
    > > > Comments?

    >
    > > > -Ramon F Herrera

    >
    > > Looking at the data sheets, it just looks like it uses typical trend
    > > micro stuff to look for malware. If they can point to something that
    > > specifically mentions Oracle, let us know.

    >
    > > Most of us don't even use port 1521 anymore.

    >
    > Please clarify. Are you claiming that most folks are simply using
    > another port different from 1521 in hopes of confusing the attackers
    > (due respect, but that would be a rather poor defense) or are they
    > using a non-TCP mechanism to communicate with the server?
    >
    > -Ramon


    Search metalink and Oracle security related sites for the minimum
    necessary hardening. The proof of concept worm that was floating
    about not long ago got everyone in a tizzy about changing 1521. See
    http://www.dizwell.com/prod/node/374

    petefinnegan.com pointed to this: http://www.sans.org/score/oraclechecklist.php

    jg
    --
    @home.com is bogus.
    http://www.cockeyed.com/magic/bad_4.php
    joel garry, Mar 3, 2007
    #6
  7. Ramon F Herrera

    JJ Guest

    I believe ASA is extremely limited right now and also requires a firmware
    update to improve its detection. I seem to recall it has about 30
    application layer checks versus Juniper's 100 application layer checks and
    versus Check Point's 1,700 application layer checks. I'm more familar with
    CP and it definitely knows about different exploits for many vendors
    products.

    Ray


    > What I would like to clarify, because is a matter of dispute among
    > some colleagues, is exactly what applications and operating systems
    > are being inspected. My buddies claim (more like a wild or hopeful
    > guess) that not only is port 1521 of an Oracle server blocked but the
    > ASA knows about Oracle exploits, and similarly it can check for
    > weaknesses on behalf of Linux or other Unixes. I find that very hard
    > to believe, and my counterclaim is that only Windows or other
    > Microsoft products have reached a level of disseminated infections to
    > grant the depth of attention by the security software.
    >
    > Comments?
    >
    > -Ramon F Herrera
    >
    JJ, Mar 3, 2007
    #7
  8. Ramon F Herrera

    DA Morgan Guest

    Re: Cisco Adaptive Security Appliance goes beyond blocking ports.Is that a Microsoft-only defense?

    Ramon F Herrera wrote:

    > I would have to open port 1521 in my firewall to see if I can
    > compromise it remotely. Then try to break into my Linux machines, and
    > similarly for the Macs. I simply don't have the resources. It would be
    > so much simple if Cisco published it explicitly: "all the anti-malware
    > tools we have is for Microsoft products".
    >
    > -Ramon


    Perhaps instead of talking to Cisco you should talk to F5 Networks.
    --
    Daniel A. Morgan
    University of Washington

    (replace x with u to respond)
    Puget Sound Oracle Users Group
    www.psoug.org
    DA Morgan, Mar 3, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dotrecruiters
    Replies:
    0
    Views:
    427
    dotrecruiters
    Aug 26, 2005
  2. Doug Fox

    Ports for Cisco VPN 3000 appliance

    Doug Fox, Sep 9, 2005, in forum: Cisco
    Replies:
    1
    Views:
    797
    Walter Roberson
    Sep 9, 2005
  3. Replies:
    2
    Views:
    759
    hschlecht
    Jun 7, 2006
  4. Ipeefreely
    Replies:
    5
    Views:
    997
  5. Sanal Kisi
    Replies:
    2
    Views:
    437
    Leythos
    Nov 30, 2007
Loading...

Share This Page