Opinion: Why application-layer defenses belong in the applications

NIDSs are largely ineffective against a determined attacker using techniques like SQL injection attacks

I know that chances are no one rushed to remove all SQL injection vulnerabilities from their Web applications after I warned in my column last month how serious they can be. I know that most people, even if they recognized the importance of the vulnerability, would consider how much work was involved and conclude that there must be an easier way. Perhaps they'd think that their network intrusion-detection system (NIDS) could handle the job.

Well, I'm back this month to puncture that balloon.

NIDSs are largely ineffective against a determined attacker using techniques like SQL injection attacks.

As I said last month, attackers love targeting SQL services because that's where some of the most interesting stuff resides in many applications. Now imagine a high-value target coupled with security tools that largely fail to detect attacks. How is this possible? Think back to my description of the dreaded "or 1=1" attack.

It's trivially easy to tell our NIDSs to look out for the "or 1=1" string. But don't be fooled, since "2=2" and "3=3" work equally well. For that matter, so do "foo=foo" and "xyzzy=xyzzy." See where this is going?

That's right, using static signature definitions - like the ones used by many popular NIDS products today - will fail every time, since you'd need to write an infinite number of signature strings to recognize every attack. And those "n=n" attacks are the most trivial of SQL injection attacks at that.

The core of the problem is that all network-based intrusion-detection tools lack the context to be able to effectively determine whether or not an HTTP request contains malicious inputs.

And let's not stop there - there's another dark truth of the IDS world lurking about. You know how we security folks have been telling the software folks to use SSL encryption to secure sensitive data as it traverses the network? Well, encrypting the network traffic - which is a good practice - effectively puts a lens cap on our surveillance cameras. NIDS products cannot see inside an SSL-encrypted packet any more than our adversaries can.

By SSL-encrypting our sensitive data, we're robbing our NIDS sensors of the ability to look into the data for signs of malicious payloads. Even if they were capable of detecting SQL injection (and other attacks) all the time, SSL would prevent that from working.

So does that mean we should toss in the towel and stop using NIDS and SSL? Of course not. It does mean, though, that we need to be keenly aware of the strengths and the limitations of the technologies we're using.

There remain many things that NIDS tools are extremely effective at detecting. Outbreaks of (known) viruses, worms, malware, etc., can stand out like a sore thumb on a network that is being monitored using NIDS tools.

Even many novel attacks can be detected using NIDS tools. For example, botnet and other malware often installs network services on infected computers. When attackers connect to these services, a desktop computer behaves - at a network level - much like a "server." Most modern NIDS tools will notice that sort of network activity even when it's caused by previously unknown malware.

But don't be fooled for a moment that NIDS products are effective at detecting all Web application-level attacks. The only place to put real application security measures is inside the applications themselves. That kind of security cannot be bought and bolted on post facto.

Similarly, we mustn't give up on SSL either. It remains the most ubiquitous and accepted network encryption technology available today. We really must use it to protect sensitive data in transit.

Does that mean our NIDS products are doomed to never be able to pierce the SSL veil? In many or most cases, yes it does. Now, in enterprise-class architectures, we can offload the SSL processing to front-end processors and place our NIDS sensors behind those processors, but that may well be beyond the reach of many smaller companies.

We can also consider host-based intrusion detection systems (HIDS) on our application processors, but be warned that many HIDS products are woefully inadequate at detecting application-layer attacks. Again, there is no substitute for placing application-layer defenses - including intrusion detection - inside an application.

And let's not also neglect another hugely beneficial aspect of using SSL - authentication. In most applications, only the server authenticates to the client, but even that is a value-added service. And in cases where client certificates are used in addition to server certificates, SSL provides us with seriously strong mutual authentication.

Nonetheless, no technology is perfect. That statement shouldn't surprise any of us, right? Intrusion-detection technologies found today are useful tools, but we cannot rely on them for everything. Application attacks are one of their weaknesses. Let's accept that and turn our attention to building more secure applications in the first place.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitysql injectionSSL-encryptingNDIS

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Kenneth van Wyk

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?