IPS needs to become more aware of advanced evasion techniques

Now, to prove its point, Stonesoft has made available a paper produced by the University of South Wales on the Effectiveness of blocking evasions in Intrusion Prevention Systems. It concludes, “In this experiment we have shown that some of the IPS installed and available offer limited protection against attacks using advanced evasion techniques.”

The experiment included appliances from Sourcefire, IBM, PaloAlto, Fortigate, McAfee, Checkpoint, Juniper, Cisco and Stonesoft; and used two ‘old’ vulnerabilities (CVE-2008-4250 and CVE-2004-1315) that should be stopped by a fully patched IPS appliances. Indeed, all of the devices were effective at stopping simple attacks against these vulnerabilities; but it was a different result when Stonesoft’s Evader (a tool specifically developed to employ basic evasion techniques) was used.

The paper describes an evasion technique. IPS appliances, it explains, are designed to take action when they detect an intrusion – but “they may not be able to recognize attacks when a payload, the part of the virus performing the malicious action, has been broken down into multiple packets.” In these circumstances, it becomes ‘invisible’ until it is through the IPS and “the receiving host has correctly amassed the payloads and reconstructed the information.” The report points out that “An undetectable evasion creates the perfect opportunity for a successful intrusion which can then be used at a later stage, either to exfiltrate data or to use as a resource in a botnet.”

The test itself showed that out of 2759 attack attempts against vulnerability CVE-2008-4250, the majority of devices stopped 98.6% or more. Only Sourcefire was less at 93.33%. The top two devices were Cisco (99.9% success) and Stonesoft (99.6%).

However, the appliances were less successful against when evasion techniques were used against vulnerability CVE-2004-1315. This time the top two appliances were Stonesoft (stopping 99.7% of 2638 attack attempts) and Fortigate (stopping 99.2%). However, none of the remaining seven appliances stopped more than 66% of the attacks, with McAfee faring worst at 50.1%.

“Evasion techniques are a recognized problem in network security,” concludes the University of South Wales paper. “Advanced Evasion Techniques, on the other hand, are overlooked by many in the IPS industry, which is leading to attacks that are hard to detect.” It warns, “even the success of one single evasion is enough to allow an active payload through, placing a network and the information it contains at risk.” The report, it says, “should be a wider call to the network security community that IPS systems need to become more aware and reactive in relation to the use of possible evasion techniques, exploiting both previous and current vulnerabilities, during an attack.”


What’s Hot on Infosecurity Magazine?