topic Re: Coverage for New IPS Evasion Techniques in General Topics

Coverage for New IPS Evasion Techniques

migration — Mon, 18 Oct 2010 18:53:06 GMT

Stonesoft recently reported multiple IPS evasion techniques that can be used to evade detection by IPS/IDS devices. We will be releasing signatures to detect most of the evasions in our content release tomorrow. More details will be posted on this thread.

Stonesoft Press Release:

http://www.stonesoft.com/en/press_and_media/releases/en/2010/18102010-2.html

Report from CERT-FI: (CERT-FI is the Finnish Computer Emergency Response Team)

http://www.cert.fi/en/reports/2010/vulnerability385726.html

Thanks,
Sandeep

Threat Prevention Product Manager, Palo Alto Networks

Re: Coverage for New IPS Evasion Techniques

helpdesk — Tue, 19 Oct 2010 10:08:33 GMT

Hi, the link below there is a video demostration that show how paloalto doesn't cover ADVANCED EVASION TECHNIQUES

http://www.antievasion.com/

Please can you tell me how we can answer to this?

Regards

Re: Coverage for New IPS Evasion Techniques

migration — Tue, 19 Oct 2010 17:21:18 GMT

We have coverage for known evasion techniques or any combination thereof. I don't have full details on the test that was conducted in the demo e.g., what were the evasions used, what was the content release version on our device etc. as such I cannot comment specifically on the test. However, we did identify some new evasions, coverage for which are being added in today's content release.

Let me know if you have any further questions,

Thanks,

Sandeep

Re: Coverage for New IPS Evasion Techniques

migration — Sat, 30 Oct 2010 01:28:31 GMT

Addendum to my earlier reply...

The test conducted by Stonesoft used some evasions for which we did not have coverage for (which is obvious otherwise we would have triggered on the attack. Mea Culpa.) Coverage for those evasions was added in a couple of days in content release 212. Having said that, I would like to reiterate that we have coverage for both standard evasions and a combination of evasions (being called as AETs or advanced evasion techniques). I would also like to make it clear that AETs are not something new, in fact these are old techniques packaged with a new terminology e.g., it is common to see HTTP-based exploits using small TCP byte segments (TCP stream segmentation evasion) along with fragmented IP packets (IP Fragmentation evasion).

NSS Labs, an independent testing lab, tested our product a few months back for security effectiveness and found that we had 100% coverage for evasions. Note that NSS Labs conducted a similar test last year when they tested IPS products from several vendors (including Stonesoft) and Stonesoft failed on 3 evasion tests (TCP Stream Segmentation, RPC Fragmentation and URL Obfuscation). Full disclosure in that they did pass 2 evasion tests (IP Fragmentation and FTP Evasion). From an overall security effectiveness, we blocked 93.4% attacks that were thrown at our device. Stonesoft in a similar test blocked only 62.9% attacks. Also, new evasions and vulnerabilities are discovered regularly e.g., yesterday Adobe released a security advisory for a critical zero-day vulnerability in Adobe Flash Player. We released a signature to cover that attack earlier today which will drop any malicious traffic.

Ultimately, it is the timeliness and overall quality of signatures that matters.

If there are questions, please feel free to ask.

Thanks,
Sandeep