A: Yes, there are definite differences between the two. IDS/IPS systems are typically either signature-based or behavior-based. Sometimes the functionality is built into devices such as firewalls and routers, other times they are built into blades that fit into a larger chassis. They can act as network or host-based protection controls. Sometimes they are used as separate appliances with one or multiple network interfaces. While IDS/IPS systems are designed to provide a higher layer of security over a basic firewall, they do not typically understand or protect against application layer attacks such as SQL Injection, XSS, etc. This reason is why the PCI standard requires a WAF to protect Internet-facing web servers instead of just a firewall with IDS/IPS capabilities.
Q: Is there a difference between an IDS/IPS and a Web Application Firewall (WAF)?
Q: What is SQL Injection?
A: SQL Injection is an attack on databases with a web server front-end. The issue involves the application not properly 'sanitizing' input data. By submitting a carefully crafted response the attacker is able to gain unauthorized access to the database. This access can take various forms including read access, the ability to change data and can also be used in some cases to completely compromise the entire database server.
A: You must ensure that ALL input data is properly verified and only the specific data requested is passed to the web application. For example, if the user is asked for a ZIP code only accept the digits 0-9 and perhaps a dash to be input. Check for the proper length and format of each data input field. Don't forget input areas such as search fields, "Contact Us" forms, etc.
Q: What is Blind SQL Injection?
A: Blind SQL Injection is a variation on the standard SQL Injection attack. Blind SQL Injection attacks occur when a web application is vulnerable to SQL Injection but does not display results to the attacker. This type of attack usually takes longer and requires different tools to perform. The use of parameterized statements can help prevent this type of attack.
A: Whether or not XSS attacks can be completely eliminated might be open for debate. However, just like SQL Injection, XSS vulnerabilities can be greatly reduced by properly sanitizing input data. Only allow the specific input data requested. Some times this is not enough to prevent XSS attacks. Proper cookie security is another issue that needs to be addressed. Click here for a reference to other techniques for preventing XSS attacks.
A: Yes. Any method of accessing corporate resources from external sources should be tested. This could include just the known dial-in phone numbers or perhaps the entire DID block of phone numbers allotted to the client. Don't forget about the phone lines connected to your PBX!
Q: What is 'wardialing'?
A: Wardialing is a common term for testing connections to various computing devices over normal phone lines. Many organizations still have phone lines connected to routers, servers, PBX's, etc. for diagnostic and troubleshooting activities. If these connections are not secure they can represent a great threat to your organization.
A: Usually, one of two ways. The first method is to only dial the specific numbers that you know are connected to some form of computing device (typically excluding fax machines). The second method involves dialing a block of phone numbers. The goal of the second method is to find "hidden" dial-in access that which IT might not be aware. Blocks of phone numbers can range from several to several thousand.