Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:50 AM
Dark Reading
Dark Reading
Products and Releases

Stonesoft Reveals Details Of IPS Evasion Attack Techniques

Security vendors have had up to six months time to provide security updates against 23 new evasion methods

ATLANTA – December 16, 2010 – Stonesoft, an innovative provider of integrated network security and business continuity solutions, today announced the availability of detailed technical descriptions of the first set of advanced evasion techniques (AETs). The first samples, comprised of 23 evasion methods and their descriptions, were delivered to CERT-FI in May, September and October 2010. Within the CERT-FI vulnerability coordination process, security vendors have had up to six months to update their systems against these newly found threats. The technical descriptions of the 23 AETs are available at http://www.antievasion.com/principles/principles/part-3.

On December 15, 2010, CERT-FI released their advisory after giving network security vendors ample time to research AETs, find remediation and give their statement about the threat. According to the advisory, the vendors have provided few statements to identify fixed versions.

“We, like everyone else, were expecting the vendor community to respect the process and state whether they are vulnerable to these advanced evasion techniques or not. Moreover, if they are vulnerable, they should state when and how they will update their systems to provide protection against these AETs,” said Juha Kivikoski, chief operating officer at Stonesoft.

“It seems that in many cases the fixes that have been provided by vendors address the evasions only by terminating suspicious connections based on the specific parameters used in the samples. In effect, this causes traffic disruptions and fails to protect against the evasions when they are even trivially modified,” explains Mika Jalava, chief technology officer at Stonesoft. “The correct way would be to understand the protocol and normalize it before inspection. It is not enough to fingerprint for evasions themselves, as they are easily modified to thwart simple matching. This kind of detection is also prone to false positives. Many of the evasion methods are basically protocol features that are allowed by today’s standards. Simply detecting and preventing any traffic that might be utilizing evasions to hide attacks does not tell the administrator anything about the actual exploits.”

StoneGate Protection Inspection-based network security systems must understand the different protocol layers the same way end hosts decode them. As new evasion techniques evolve, the functionality responsible for this task, the normalization engine, must evolve with them. Stonesoft’s StoneGate IPS solutions, as well as firewalls with deep inspection capabilities, are fully and remotely upgradable, including all levels of network traffic normalization. Furthermore, they are not bound to specific hardware implementations.

In the long term, Stonesoft recommends programmers, designers and Internet standardization authorities take a more strict position against ambiguity in network protocols. Today’s networking problems are more often related to security than compatibility with obsolete systems. Often security issues – especially those related to evasions – are caused by protocol implementations that try to conform to different encoding techniques. Security should be an inherent part of protocol design and standardization, not an afterthought.

New AETs Discovered Stonesoft R&D continues to work with CERT-FI to disclose more AETs. Compared to the first 23, the new set of recordings will include more advanced and combined AETs working across multiple protocols and layers simultaneously. Because of this, Stonesoft expects the coordination process for the next set of AETs to take more time than the previous set.

The updated CERT-FI advisory is available at http://www.cert.fi/en/reports/2010/vulnerability385726.html. For more information on advanced evasion techniques, please visit www.antievasion.com .

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.