Friday, July 17, 2009

Is StillSecure Really Secure?!

Just done a simple test on IPS from StillSecure - Strata Guard. I downloaded Strata Guard Lite - the freeware offer from StillSecure. I installed it on my virtualised testbed.

The test setup is simple. I made an attacker VM running BackTrack 3 with latest updated Metaspolit. This VM is connected to the Bridged (VMnet0) virtual switch. I also made a victim VM running Windows XP SP3 (without post-SP3 patches) with an antivirus package. The victim VM is connected to Host Only (VMnet8). Finally, SG Lite is installed as the 3rd VM with 3 interfaces - eth0 and eth1 are connected to VMnet0 and eth2 is connected to VMnet8. eth0 is for management interface while eth1 and eth2 are for a bridge deployment.

After installing SG Lite, I immediately update the rules. After updating, SG Lite has over 6 thousand rules. I also configured SG Lite to "Block" all attacks on all rules. This should made all traffic being inspected, and if any traffic match with any rules should be blocked.

Afterwards, I use Metasploit to start attack the victim. I choose my favorite MS08-067 with Add User to see if SG Lite can stop the attack. The result made me supprise - the attack success and SG Lite did not notice the attack!