10-02-2014 10:23 AM
Could someone elaborate on the section which says:
All PAN-OS devices require a configuration change to detect even the most basic TCP stream segmentation evasions. The “Mismatched overlapping TCP segment” protection in the Zone Protection profile is not enabled by default, which allows attackers to bypass the device completely using TCP stream segmentation with overlapping data evasion techniques. NSS strongly recommends that this protection is always enabled – any PAN customer that has not checked this box is at extreme risk.
I've not come across this and would like to know if it's suggested to enable it?
10-02-2014 10:32 AM
Hi NetworkAdmin,
You can find following document to answer some of your question:
Thank you.
10-03-2014 05:56 AM
I had thought about posting that same report in hopes of seeing / hearing other thoughts.
This video was also ... interesting to say the least.
Note: I understand this appears to be a CheckPoint smear channel, it's still interesting to see the vulnerability.
10-03-2014 06:15 AM
Nothing new (2010):
Advanced evasion techniques - Laboratory demonstration - YouTube
10-06-2014 06:51 AM
Hello,
I have tried attack which is shown in previously mentioned video (Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube) and it was not successful over PA. It looks like PA (6.0.5, app&threat 459-2387) is blocking all segmented SMB traffic.
10-07-2014 06:54 AM
I have to add that all I tried was conficker attack using single "smb_seg" evasion as shown in video which was stopped using signature not normalization. I haven't ran Evader in Automatic Evasions mode for 12 hours as shown in video..
Strangely some messages from hshah and one from me disappeared in this thread.
Hi Lios,
Thanks for inputs. As I said PANW first gathers all fragemetns, IF any fragment is
missing or overlapping than it simply drops all fragments.
Regards,
Hardik Shah
Then I wrote that it looks like PA is blocking ANY fragmented SMB traffic not just with missing or overlapping fragments.
Hi Lion,
That might be true.
Regards,
Hardik Shah
Interesting, why would it block genuine fragments ?
My response (ask PA) is still here..
10-07-2014 06:55 AM
By the way, new video:
PAN Evasion Bypass take 2 - With PAN Best Practices implemented - YouTube
10-29-2014 10:46 AM
So; the fixes are not enough ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
