Stonesoft Discloses First Details of Advanced Evasion Techniques

Security vendors have had up to six months time to provide security updates against 23 new evasion methods

Stonesoft Press Release, Helsinki, Finland — December 16, 2010 — Stonesoft, an innovative provider of integrated network security and business continuity solutions, today announced the availability of detailed technical descriptions of the first set Advanced Evasion Techniques (AETs). The first samples comprising of 23 evasion methods and their descriptions were delivered to CERT-FI in May, September and October 2010. Within the CERT-FI vulnerability coordination process, security vendors have had up to six months time to find a way to update their systems against these newly found threats. The technical descriptions of the 23 AETs are available at www.antievasion.com.

Yesterday, 15 December CERT-FI released their advisory after giving network security vendors up to six months time to research AETs, find remediation and give their statement about the threat. According to the advisory, the vendors have provided few statements to identify fixed versions.

“We, like everyone else, were expecting vendor community to respect the process and state whether they are vulnerable to these Advanced Evasion Techniques or not. Moreover, if they are vulnerable, they should state when and how they will update their systems to provide protection against these AETs.” said Juha Kivikoski, Chief Operating Officer at Stonesoft.

“It seems that in many cases the fixes provided address the evasions only by terminating suspicious connections based on the specific parameters used in the samples, thereby causing traffic disruptions and failing to protect against the evasions trivially modified changing the values used", explains Mika Jalava, Chief Technology Officer at Stonesoft. "The correct way, of course, would be to understand the protocol and normalize it before inspection. It is not enough to fingerprint for evasions themselves, as they are easily modified to thwart simple matching. This kind of detection is also prone to false positives. Many of the evasion methods are basically protocol features that are allowed by today’s standards. Moreover, simply detecting and preventing any traffic that might be utilizing evasions to hide attacks does not tell the administrator anything about the actual exploits."

StoneGate solution and protection
Inspection-based network security systems must understand the different protocol layers the same way end hosts decode them. As new evasion techniques evolve, the functionality responsible for this task, the normalization engine, must evolve with them. Stonesoft’s StoneGate IPS solutions as well as firewalls with deep inspection capabilities are fully remotely upgradable including all levels of network traffic normalization and not bound to specific hardware implementations.

In the long term, Stonesoft recommends programmers, designers and Internet standardization authorities to take a more strict position against ambiguity in network protocols. Today’s networking problems are more often related to security than compatibility with obsolete systems. Often security issues, especially those related to evasions, are caused by protocol implementations that try to conform to different encoding techniques. Security should be an inherent part of protocol design and standardization, not an afterthought.

New AETs discovered
Stonesoft R&D continues to work with CERT-FI to disclose more of AETs. Compared to the first 23, the new set of recordings will include more advanced and combined AETs working cross multiple protocols and layers simultaneously.

Stonesoft expects the coordination process to take more time this time because the next set of AETs will be more challenging than the previous ones and have not been implemented in any publicly available testing tools or seen as part of any certification or testing criteria yet.

“In the meanwhile, we will continue our research to be able to keep ahead of the cyber criminals and to help organizations protect their digital assets against AETs”, says Kivikoski. "AETs have proven to pose new challenges to intrusion prevention systems, and the security community cannot continue to ignore this threat any longer."

The updated CERT-FI advisory is available at http://www.cert.fi/en/reports/2010/vulnerability385726.html.

The technical details of the 23 AETs are available at http://www.antievasion.com/principles/principles/part-3.