In association with heise online

21 October 2010, 16:31

Alarms for online networks largely useless

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Stonesoft, a vendor of intrusion detection and prevention systems (IDS / IPS), has been making headlines recently with claims about a new danger allegedly stemming from "Advanced Evasion Techniques" (AETs), which the firm says are a threat to nearly all corporate, bank and military data. Yet Stonesoft is merely reiterating what critics of these products have been saying for some time now: they are nearly worthless because they are fairly easy to get around.

Apparently, a number of technicians at Stonesoft sat down and systematically tested ways to get past these alarm systems for online networks, such as through using exotic options in the TCP / IP stack. In general, attackers can craft packets so that the IDS / IPS completely ignores, or at least does not recognise, the malicious content. One classic evasion technique is to fragment and distribute the exploit over several of packets, each of which seems harmless. The IDS only sees individual bytes, which exploit signatures cannot detect, but the recipient puts the fragments back together again, essentially activating the attack. These days, all IDS products detect this simple trick.

However, Stonesoft experts found that their own products and those from the competition can all be gotten around by similar means, especially if individual evasion techniques are cleverly combined. The firm quickly responded by making a virtue of necessity – it claimed that advanced evasion techniques are a new threat, and it, of course, has the solution: Æntievasion, which will soon be available exclusively from Stonesoft. All StoneGate appliances are already reportedy "anti-evasion ready."

Yet, it's hardly news to experts that IPS / IDS systems are not completely fail-safe. Admittedly, the firm's systematic analysis of the TCP / IP stack may have revealed a number of previously undocumented evasion tricks and the possibility of combining them with an easy-to-use tool, all of which will step up research on the issue considerably. On the other hand, comparable evasion techniques have been talked about and demonstrated for more than 10 years. Those who wish to protect themselves from exploits of security holes therefore have only one option: patch them. Indeed, some critics joke that no one has bothered to come up with more complex evasion techniques because the simple ones work so well. Whatever the case, the danger is certainly nothing new.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit