The discovery of AETs was first reported in October 2010. Since that time, Stonesoft has continued extensive research in the area, which has led to the discovery of 124 new threats. Stonesoft continues to research AETs found in its R&D laboratories and in the wild.
Many vendors claimed to have “fixed” the product vulnerabilities disclosed in CERT-FI’s initial advisories on the 23 AETs discovered last fall. However, real-life testing in Stonesoft’s research lab confirms that AETs are still able to penetrate many of these systems without detection. In other cases, simple microscopic changes to an AET – such as changing byte size and segmentation offset – allow them to bypass the product’s detection capabilities. This demonstrates that most vendors are only providing temporary and inflexible fixes to the growing AET concern, rather than researching and solving the fundamental architecture issues that give way to these vulnerabilities.
“It seems that those who claim to have 100 percent protection against advanced evasion techniques do not really understand the magnitude of the problem nor have they done enough research around the issue. The discoveries made so far are only the tip of the iceberg,” says Joona Airamo, chief information security officer at Stonesoft.
Traditional and advanced evasion techniques have become of increasing concern to the network security community. In its Network IPS Group Test Q4 2010, independent testing lab NSS Labs described IP fragmentation and TCP segmentation evasions as a grave threat stating “if an attacker can avoid detection by fragmenting packets or segmenting TCP streams, an Intrusion Prevention System will be completely blind to ALL attacks.”
"Missing an evasion means a hacker can use an entire class of exploits to circumvent a security product, rendering it virtually useless,” said Rick Moy, president, NSS Labs. “Combining certain evasions further increases the likelihood of success for attackers, and elevates the risk to enterprises.”
While there is no single solution to eliminating the threat of AETs, organisations can mitigate the risks and lessen their vulnerability. One such way is making sure the security devices they use do a proper multilayer normalisation process, working on all relevant protocol layers for each connection. Centralised management is also critical as it enables constant updates and upgrades to be made deep within a network’s security architecture. Unfortunately, fingerprinting and signature-based matching – typical security responses for the actual exploits – do not work with the dynamic, combinatory and constantly evolving nature of AETs.
Bob Walder, research director at Gartner, Inc., who discussed AETs at length in his November 2010 report entitled Advanced Evasion Techniques (AET): Weapon of Mass Destruction or Absolute Dud comments: “"Evasion techniques are not new, yet still present a credible threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Recent research has, thankfully, forced this issue once again into the spotlight, and network security vendors need to devote the research and resources to finding a solution."
Stonesoft has also released packet capture descriptions for several of the AETs originally disclosed to CERT-FI in 2010, which can be viewed here. For information on how to protect against AETs, please visit www.antievasion.com or www.stonesoft.com.