On December 15, 2010, CERT-FI released their advisory after giving network security vendors ample time to research AETs, find remediation and give their statement about the threat. According to the advisory, the vendors have provided few statements to identify fixed versions.
“We, like everyone else, were expecting the vendor community to respect the process and state whether they are vulnerable to these advanced evasion techniques or not. Moreover, if they are vulnerable, they should state when and how they will update their systems to provide protection against these AETs,” said Juha Kivikoski, chief operating officer at Stonesoft.
“It seems that in many cases the fixes that have been provided by vendors address the evasions only by terminating suspicious connections based on the specific parameters used in the samples. In effect, this causes traffic disruptions and fails to protect against the evasions when they are even trivially modified,” explains Mika Jalava, chief technology officer at Stonesoft. “The correct way would be to understand the protocol and normalize it before inspection. It is not enough to fingerprint for evasions themselves, as they are easily modified to thwart simple matching. This kind of detection is also prone to false positives. Many of the evasion methods are basically protocol features that are allowed by today’s standards. Simply detecting and preventing any traffic that might be utilizing evasions to hide attacks does not tell the administrator anything about the actual exploits.”
StoneGate Protection Inspection-based network security systems must understand the different protocol layers the same way end hosts decode them. As new evasion techniques evolve, the functionality responsible for this task, the normalization engine, must evolve with them. Stonesoft’s StoneGate IPS solutions, as well as firewalls with deep inspection capabilities, are fully and remotely upgradable, including all levels of network traffic normalization. Furthermore, they are not bound to specific hardware implementations.
In the long term, Stonesoft recommends programmers, designers and Internet standardization authorities take a more strict position against ambiguity in network protocols. Today’s networking problems are more often related to security than compatibility with obsolete systems. Often security issues – especially those related to evasions – are caused by protocol implementations that try to conform to different encoding techniques. Security should be an inherent part of protocol design and standardization, not an afterthought.
New AETs Discovered Stonesoft R&D continues to work with CERT-FI to disclose more AETs. Compared to the first 23, the new set of recordings will include more advanced and combined AETs working across multiple protocols and layers simultaneously. Because of this, Stonesoft expects the coordination process for the next set of AETs to take more time than the previous set.
The updated CERT-FI advisory is available at http://www.cert.fi/en/reports/2010/vulnerability385726.html. For more information on advanced evasion techniques, please visit www.antievasion.com