Friday, July 17, 2009

Is StillSecure Really Secure?!

Just done a simple test on IPS from StillSecure - Strata Guard. I downloaded Strata Guard Lite - the freeware offer from StillSecure. I installed it on my virtualised testbed.



The test setup is simple. I made an attacker VM running BackTrack 3 with latest updated Metaspolit. This VM is connected to the Bridged (VMnet0) virtual switch. I also made a victim VM running Windows XP SP3 (without post-SP3 patches) with an antivirus package. The victim VM is connected to Host Only (VMnet8). Finally, SG Lite is installed as the 3rd VM with 3 interfaces - eth0 and eth1 are connected to VMnet0 and eth2 is connected to VMnet8. eth0 is for management interface while eth1 and eth2 are for a bridge deployment.

After installing SG Lite, I immediately update the rules. After updating, SG Lite has over 6 thousand rules. I also configured SG Lite to "Block" all attacks on all rules. This should made all traffic being inspected, and if any traffic match with any rules should be blocked.

Afterwards, I use Metasploit to start attack the victim. I choose my favorite MS08-067 with Add User to see if SG Lite can stop the attack. The result made me supprise - the attack success and SG Lite did not notice the attack!


1 comment:

Anonymous said...

William - I think the problem is in your VM set up. Our engineers have checked and no doubt we can handle this exploit. Recheck to see if SG is seeing any traffic the way you have it configured.
I have answered your post on my blog here: http://www.stillsecureafteralltheseyears.com/ashimmy/2009/07/is-stillsecure-really-secure-you-betcha.html