+ Post New Thread
Results 1 to 3 of 3
Internet Related/Filtering/Firewall Thread, Stonesoft's "Advanced Evasion Techniques" in Technical; I have been sent some marketing material by a firewall manufacturer called Stonesoft. They make a big deal of blocking ...
  1. #1

    Join Date
    Nov 2011
    Posts
    219
    Thank Post
    262
    Thanked 23 Times in 19 Posts
    Rep Power
    11

    Stonesoft's "Advanced Evasion Techniques"

    I have been sent some marketing material by a firewall manufacturer called Stonesoft. They make a big deal of blocking what they call "advanced evasion techniques" - they say these are a set of different methods to evade the protection against external attacks provided by a modern firewall. They do not seem to provide many details of the methods - they cite the the need for responsible disclosure - what I have found talks about techniques like sending packets deliberately out of order to confuse the IPS. The provide a free test suite to test whether your existing firewall is vulnerable to these technique. I have not tried this yet, has anyone else?

    I am currently looking at new firewalls for my school, and I am not sure whether I should be giving any weight to StoneSoft's claims. There seems some plausibility to what they are saying, but I have found a lack of 3rd party discussion of the issue. Closest I have seen is this stack exchange post from 2010.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,820
    Thank Post
    110
    Thanked 590 Times in 511 Posts
    Blog Entries
    1
    Rep Power
    226
    The only use I've see for deliberately sending out of order packets is that some firewalls will keel over trying to reassemble the data stream for Deep Packet Inspection. So you can consider it as a DoS technique. As a result most stateful firewalls will throw away out of order packets by default. This will manifest in tcp session timeouts and retrys and will result in poor throughput at the application layer.

    So no, without more information from Stonesoft it just looks like marketing hype to me.

  3. Thanks to Geoff from:

    Jollity (16th December 2012)

  4. #3

    Join Date
    Dec 2012
    Location
    New Jersey
    Posts
    1
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    After reading your post, I wanted to reply to help you understand what Stonesoft is doing and why AETs (Advanced Evasion Techniques) should be a concern to you. Before I start, in the interest of full disclosure I should state that I am a Stonesoft engineer. That said, my aim is only to help you and other readers of your posting understand the true nature of what an AET is and what needs to be done to protect against them.
    An evasion is, as you noted, a deliberate attempt to confuse a security protection system. More precisely, it is the modification of a packet stream so as to prevent a given firewall or IPS from correctly re-constructing the actual data stream being conveyed so that when compared against signatures of malware, no match is found. Simple enough. And an “Advanced Evasion” is the purposeful attempt to do this using multiple evasions at once.
    You mentioned one such evasion – the sending of packets out of order – as being commonly cited. The Evader tool (at Evader | Stonesoft Evader) offers several dozen common evasions that can be tried, as well as a few recommendations for combinations to try to effectively disguise traffic and slip it past current security engines. For example, simply setting the TCP receive window size to 7, which is a perfectly legal parameter to negotiate during session setup, will cause a Cisco engine to completely miss common malware payloads. Some engines do flag small segment size as a potential attack, but all it takes is a few small segments shipped in reverse order to cause a SourceFire system to fail to correctly apply its signatures. Of the 300-plus currently known evasions, which can be combined in approximately 800 million combinations (so I am told by development), it’s not too difficult to find multiple combinations that will work with each common FW and IPS. For a handful of these evasions that is what the Evader utility does… allows you to explore this for yourself. There’s no cost other than your time.
    To be sure, some of the evasions are, strictly speaking, making use of illegal, undefined, or obsolete configuration parameters within the various protocols that might be used. But what is surprising is the number of perfectly legal protocol options – like the use of priority data within TCP or filename obfuscation within SMB (something like …/abc/../xyz) that can cause the software and ASICs in so many security engines real heartburn.
    The solution to the problem is that before any malware signature is compared against a data stream, that data stream must be fully normalized. That is, all the obfuscations must be removed. And it has to be done at all protocol layers together, not sequentially. This can and does increase processor and memory requirements for security engines, as there is no escaping the necessity to fully unwind and completely extract the actual message content, no matter how many packets it is sent in, or their order, or chaff that is injected, or overlapped, or means used to skip data ahead of adjacent bytes in that stream.
    If you like, I reach out to me and I can show you this using real hardware. The company has a rack of current FW and IPS systems pre-configured with their latest updates, and against which we can try various evasion combinations.

    As for the real world risks that evasions present we can only infer. This is because by definition a successful evasion will permit a payload to pass through a security engine without detection. Verizon’s Data Breach report for 2012 provides hints of what is happening, including that the number of attacks has been rising while the number of those incidents detected by targeted firms has been falling. This is not a contradiction but indicative of a world where we all too often find out about breaches after the infection, not during the attempt.

    HTH –
    Darren Suprina

  5. Thanks to dsuprina from:

    Jollity (16th December 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 20th February 2011, 09:17 PM
  2. Replies: 5
    Last Post: 13th August 2009, 12:56 PM
  3. Good quote...
    By tom_newton in forum General Chat
    Replies: 0
    Last Post: 16th October 2006, 11:38 AM
  4. IC Technology - sign an NDA for a quote?!
    By sahmeepee in forum Bad Experiences
    Replies: 7
    Last Post: 4th July 2006, 10:43 AM
  5. Quote of the day
    By NetworkGeezer in forum *nix
    Replies: 3
    Last Post: 5th May 2006, 09:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •