Coverage for New IPS Evasion Techniques

cancel
Showing results for 
Search instead for 
Did you mean: 

Coverage for New IPS Evasion Techniques

L0 Member

Stonesoft recently reported multiple IPS evasion techniques that can be used to evade detection by IPS/IDS devices. We will be releasing signatures to detect most of the evasions in our content release tomorrow. More details will be posted on this thread.

Stonesoft Press Release:

http://www.stonesoft.com/en/press_and_media/releases/en/2010/18102010-2.html

Report from CERT-FI: (CERT-FI is the Finnish Computer Emergency Response Team)

http://www.cert.fi/en/reports/2010/vulnerability385726.html

Thanks,
Sandeep

Threat Prevention Product Manager, Palo Alto Networks

3 REPLIES 3

L1 Bithead

Hi,  the link below there is a video demostration that show how paloalto doesn't cover ADVANCED EVASION TECHNIQUES

http://www.antievasion.com/

Please can you tell me how we can answer to this?

Regards

We have coverage for known evasion techniques or any combination thereof. I don't have full details on the test that was conducted in the demo e.g., what were the evasions used, what was the content release version on our device etc. as such I cannot comment specifically on the test. However, we did identify some new evasions, coverage for which are being added in today's content release.

Let me know if you have any further questions,

Thanks,

Sandeep

Addendum to my earlier reply...

The test conducted by Stonesoft used some evasions for which we did not have coverage for (which is obvious otherwise we would have triggered on the attack. Mea Culpa.) Coverage for those evasions was added in a couple of days in content release 212. Having said that, I would like to reiterate that we have coverage for both standard evasions and a combination of evasions (being called as AETs or advanced evasion techniques). I would also like to make it clear that AETs are not something new, in fact these are old techniques packaged with a new terminology e.g., it is common to see HTTP-based exploits using small TCP byte segments (TCP stream segmentation evasion) along with fragmented IP packets (IP Fragmentation evasion).

NSS Labs, an independent testing lab, tested our product a few months back for security effectiveness and found that we had 100% coverage for evasions. Note that NSS Labs conducted a similar test last year when they tested IPS products from several vendors (including Stonesoft) and Stonesoft failed on 3 evasion tests (TCP Stream Segmentation, RPC Fragmentation and URL Obfuscation). Full disclosure in that they did pass 2 evasion tests (IP Fragmentation and FTP Evasion). From an overall security effectiveness, we blocked 93.4% attacks that were thrown at our device. Stonesoft in a similar test blocked only 62.9% attacks. Also, new evasions and vulnerabilities are discovered regularly e.g., yesterday Adobe released a security advisory for a critical zero-day vulnerability in Adobe Flash Player. We released a signature to cover that attack earlier today which will drop any malicious traffic.

Ultimately, it is the timeliness and overall quality of signatures that matters.

If there are questions, please feel free to ask.

Thanks,
Sandeep

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!