Wednesday, October 27, 2010

AET Update

Stonesoft held a joint publicity exercise with ICSA Labs last night in the form of a live Q&A session via conference call.

It was fairly embarrassing, given that there was a total of three questions (two from the same person which seemed to confuse evasion techniques with actual exploits), and the whole thing was wrapped up after 25 minutes with most of it being taken up by Stonesoft execs repeatedly denying that this was just a publicity stunt (and still no real details).

So, why was it a bust? Lack of interest or lack of understanding?

Well, given the confusion mentioned above, I suspect a lack of understanding, which is worrying. And one reason why I am inclined to forgive Stonesoft this blatant hijacking of the evasion issue, since if it continues to at least raise awareness and force other vendors to take it more seriously in their own testing, then it will have been A Good Thing.

So let me clear up the confusion. Evasion techniques are not, in and of themselves, exploits. Any attacker would need a functioning exploit which is already proven to work against the target host. If the host is unpatched and the in-line defences (IPS/NGFW) have no appropriate signature, the exploit will be successful - game over. If the IPS/NGFW has a signature covering the exploit, then it will be blocked - score one for The Good Guys.

This is where evasions come into play, however. Having noted that his exploit has been blocked, the attacker will then begin to use the same exploit coupled with one or more evasion techniques to disguise the exploit and render it invisible to the IPS/NGFW inspection engine. Chances are, right now, it will then work, since so many IPS engines fare so badly against even the most basic evasion techniques.

Note that if the target host has been patched against the exploit, then no amount of evasion will help. This is the key differentiator here - evasion techniques are only good for "cloaking" and delivering an exploit unmolested past a NGFW or IPS. Once your host system is patched against a particular vulnerability, it is safe (until the next one is discovered!)

Take a look at the most recent NSS Labs IPS Group Test Report to get some idea of which IPS products do well against evasions and which do not. Now this is where Stonesoft is to be commended. Because in trying to fix its own problems it went beyond those tools which are freely available to testers and wondered what would happen if it extended a few of the techniques and combined them. The result was the Predator tool and this latest slew of publicity.

It bears repeating that the criticism levelled at Stonesoft to this point is due to a lack of originality, not lack of seriousness of the problem. In the conference call last night ICSA voiced a very significant qualification - that 9 of the 14 PCAPs Stonesoft provided them to validate the claims had not been seen before in tools which were freely available. In other words, Stonesoft has not invented or discovered a whole new type of evasion technique (as I have already pointed out, I was personally using several of their so-called "new" evasion techniques in public testing over seven years go) - it has, instead, extended and combined existing known techniques to create a new set of problems for NGFW/IPS vendors to solve.

In other words, we are no worse off now than we were before Stonesoft made its claims - but there is still a significant problem which needs addressing. And it is time the IPS industry woke up and addressed this issue. There are products on the market today which have had issues with evasion techniques since the day V1.0 was launched, despite being pulled up time and time again in independent tests.

Which vendors are you considering for your next NGFW/IPS product? Ask them about evasions. Ask them about the Stonesoft AETs. And then make them PROVE they have an answer. In your own network, under your control. Or in an independent test lab under the control of a trusted third party. But NOT in their own labs.

Because the thing is, some vendors don't seem to understand the problem any more than the public at large. If they did, I wouldn't have had to fail the same products, year after year, for the same problem when I was testing these things myself.

As I mentioned previously, I have a research note in the works covering evasion techniques and how they can (and can't) be used against your perimeter defences. Given the level of interest in this subject, I might try to push up the delivery date.

Follow me on Twitter (@bwalder) to be kept informed.

No comments: