IPS Evasion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPS Evasion

Not applicable

So are the techniques used in the following article realistic?

http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137

Palo Alto's PAN-OS 5.0 made it a bit harder, compared to the others at least.

7 REPLIES 7

L6 Presenter

PA has already today a farily high hitrate (according to NSS Labs) of various obfuscation techniques and other methods to bypass IPS functionality - however new applications and protocols will continue to develop and so will the techniques to bypass IPSes.

And as long as PA continue to fix and update their software PA will continue to be among the TOP 5 or so in both NGFW and IPS field.

However as with all configuration some of the bypass possibilities is due to how the firewall is actually being setup.

For example if you want to allow your clients to visit http sites which isnt categorized yet?

First thing to remember is that application identification (which is somewhat the main reason most chooses to PA I would assume) isnt foolproof and will on its own, depending on application, let one or more packets through before the appid is sucessfully identified. Thats why you should use "application-default" as service unless you can specifiy the port or portrange to use.

Along with fighting to identify bad stuff on the network and identify the good stuff there is also a fight of not having falsepositives.

One example is if you transfer a file using ftp containing a http-header. In this case this transmission should be identified as ftp and not suddently a http request. However if you are in control of the ftp server you can probably make some cleartext tunneling this way, until PA finds out about this and are able to create an IPS signature for this (or even better an appid signature, either by text or by behaviour/heuristic (similar to how bittorrent, skype etc is identified)).

But to sum it up of historical cases:

2.1 Obfuscation:

Look at the appid cache pollution case from last xmas, or similar stuff last autumn (www.what2code.net has a description that affected not only PA but also Checkpoint and Fortigate).

The xmas thing was fixed in:

5.0.2 15 Jan 13

4.1.11 06 Feb 13

4.0.14 12 Feb 13

2.2 Encryption and tunneling

The tunneling part I would say is similar to 2.1. The encryption stuff depends on the configuration of your PA box - if you have ssl decryption enabled or not (and for that matter which url categories do you choose to not decrypt and also if you will allow traffic that cannot be decrypted or not). If we take Sourcefire as example you need to invest into additional hardware to be able to perform SSL-decryption, this is built in and included with the PA box.

2.3 Fragmentation

NSS Labs found in 2011 a split TCP-handshake method to bypass the IPS in PA. Was fixed in 4.0.2 and 3.1.9 (5.0 didnt exist at that time):

https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011....

2.4 Protocol violations

Again similar to 2.1. One example is how *nix vs windows interprets various packets. If im not mistaken *nix identifies the first packets while windows chooses to go by what the last packets says (or if it was the other way around :smileysilly:).

I think this is also highly dependent on which appid's you chooses to allow which I also think is a major component when using PA as IPS because the IPS can interact with the AppID (compared to the workflow in lets say Checkpoint and other products).

Again, AppID isnt foolproof but that doesnt mean you should ignore it. Properly setup a PA (with all its features enabled) will be able to better allow the good stuff and block the bad stuff compared to other vendors in my experience.

There is also other features that in some way could be involved in the IPS work (or more as a IDS) and that is Wildfire. This will become more interresting when the appliance boxes will be released along with capabilities of not only scan and run PE-files (.exe, .dll and .scr) but also Java, Flash, PDF and Office-documents.

Another aspect to this except risk of falsepositives is also performance. Its not fun if you have 10Gbit/s boxes and they can only let through 400Mbit/s or so (or even worser than that) as with some vendors. This doesnt mean that a 10Gbit/s box from PA always has a throughput of 10Gbit/s but generally speaking it seems that the PA hardware design has a higher throughput than many competitors specially when enabling most of the features (most vendors can match their numbers in the datasheets when you have only one "any, any allow" rule at top of your ruleset and all other features, such as IPS, disabled - but when you start to enable stuff like IPS, SSL-termination, AppID etc the performances often drops way below the numbers mentioned in the datasheets).

Notes regarding the report:

According to page 26 they use "default" profile for the IPS in PA. More correct would be to set it up as:

Critical: Block

High: Block

Medium: Block

Low: Default

Informational: Default

This is what NSS Labs did when they went from 56.4% hitrate (default) to 93.4% hitrate (as above "tuned").

They also only had a "any, any allow" rule (and only blocked by "default" in the IPS setting) - meaning no interaction with appid in this case (which probably could block one or more of the evasion techniques on its own).

Apart from the above I do hope some PA people will read the report and implement fixes to handle the evasion techniques described in this report. But also, as the report states, using IPS isnt foolproof. What you need to do is to have as narrow hole for the good traffic as possible and as broad detection of the bad traffic. But also take into account, what if bad stuff will hit the client?

Sometimes corporations chooses to use two webbrowsers (like google chrome for internet and internet explorer or something else for internal use) but since no matter which technique you use to protect yourself approx 5% bad stuff will still be able to bypass and hit the browser I think you should decide that if you do have sensitive data on your internal networks - perhaps those clients shouldnt be able to browse the internet at all? Or at least use a terminalserver solution so if the bad stuff hits the browser then its the terminalserver that gets infected and not the client itself.

And dont forget other attackvectors such as email (both incoming but also outgoing as method of communication for malwares) and the (by now) infamous usb-drives (stuxnet anyone? Smiley Wink). Regarding email one solution can be to allow incoming email but not outgoing. In order to send an you email you must connect to a terminalserver setup from where you can send your emails. This way the bad stuff can get into your network - but hopefully never leave...

I found this presentation on Youtube the other day which is somewhat related to this topic:

http://www.youtube.com/watch?v=XJ0iwnu-sjE

"

Vulnerability Threat Trends

Published on Mar 27, 2013

Dr. Stefan Frei, Research Director at NSS Labs, presents key findings from an analysis of publicly-available vulnerability data found in the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE), identifying industry-wide threats and trends covering the last ten years.

"

What does the test which is shown near the end of that video mean ? there is Paloalto product also on that test.

You mean close to the 09:35 mark?

That shows number of vulnerabilities (exploits) able to bypass the IPS.

The point here is as I described in my comment regarding page 26 from the report that you need to "tune" the defaultprofile from default everything into:

Critical: Block

High: Block

Medium: Block

Low: Default

Informational: Default

If its not possible for you to enable blocking even for Low and Informational aswell (with higher probability of false positives).

So PaloAlto is not very good at this test ? bypass number is higher than many brands.

PaloAlto perhaps isnt best in class (but among TOP5 or so) when you only look at the IPS itself but its not far behind from the one who currently is.

On the other hand a PA is mainly a NGFW with IPS capabilities and not IPS-only (but thanks to VWire or L2-mode it can still be used as IPS-only). However these testresults can show you if you need an additional IPS or not if you already have a PA in place which is (hopefully) properly configured. Another thing to take into account is that SSL-termination capabilities is included with PA where with, for example, Sourcefire you need to buy another expensive box to be able to handle SSL-based threats.

The test also shows that no matter which IPS you use (or combinations) - there will always be threats that can bypass which boils down to that you need a proper design of how, for example, webbrowsing should be allowed or not from the same hardware that at the same time is handling sensitive information related to your company/organisation.

I didnt manage to find a copy of the 2012 report from NSS Labs (anyone who knows if PA perhaps licensed it to publish it in public?) but I do have the 2010 year testresults of PA-4020 in the IPS-testing (which was/is publish in PA public site).

Back in 2010 the result for PA (in IPS test made by NSS Labs, 1179 exploits tested) was:

Default configuration block rate: 56.4%

Tuned configuration block rate: 93.4%

and split up by attack vector:

Attacker initiated

Default configuration block rate: 49%

Tuned configuration block rate: 89%

Target initiated

Default configuration block rate: 64%

Tuned configuration block rate: 97%

So if you use the above attacks through a SSL-connection the PA box would find 97% of target initiated threats where Sourcefire would find 0% unless you buy that additional box to perform SSL-termination.

Another thing to take into account is the performance when you use various IPS settings.

For example on a Checkpoint (with their builtin IPS) you are basically forced to use "Recommended" setting which wont find that many threats. If you want to block all known IPS signature (as with PA if you set all severity levels into Block) then the performance drops dramatically.

I have also read a testreport where Sourcefire IPS was involved and that stated a throughput of approx 400Mbit/s (using 10Gbit/s links) for HTTP-traffic - I have no idea if that box is badly configured or not but if it isnt it probably means that using IPS for "critical" high bandwidth applications would result in that the IPS would be bypassed for performance reasons and then you are down to 0% hitrate again.

And, as you most likely already know, how many IPSes are actually put in block mode? When you use IPS internally (like for the datacenter) there is a chicken race between finding and stopping malware vs. availability of the applications. Which is not uncommon that this IPS you bought suddently only is configured as a IDS. And for an IDS to be effective (that is IPS runned as IDS) you need to have someone looking at the logs and take action as soon as possible when a threat is detected unless you use it only for reporting purposes.

Thanks for detailed explanation.

  • 3626 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!