An example of a simple evasion technique is IP fragmentation, Boltz says. Attackers fragment packets containing malware in hopes that IPSs won’t reassemble the packets, miss the malware they contain and pass them through. Today, most IPSs have engines that reassemble fragmented packets and screen them.
URL obfuscation is another example of a simple evasion in which a URL is altered slightly so it passes through an IPS but not so altered that the target machine can't use it, Boltz says. Many IPSs today can handle this as well, he says.
But in combination, some of these simple evasions can bypass IPSs, he says. And Stonesoft has come up with some new simple evasions that can be added to the mix. For instance, using a TCP/IP stack of their own design, Stonesoft researchers take advantage of TCP time-weight state, notification to receiving machines how long to leave open TCP ports in anticipation of further communication.
By connecting to a target machine and immediately shutting down the session, the TCP/IP stack can then start up a new session through the still-open ports and use it to transmit malware. Because the IPS has already checked the initial connection for proper handshake and state information, it allows subsequent traffic through. "This is a shortcut to make the IPS run faster," he says.
Stonesoft has been keeping its AET tool confidential, not allowing it to be copied to CERTS or even to ICSA for purposes of testing.
CERT-FI is going through the process of alerting vendors whose products might be affected by AETs in hopes they will take measures to defend against them, says Eeronen. As is usual with such notifications, CERT-FI is giving vendors time to act on its warning. Eventually, even if all the vendors have not upgraded to fight AETs, CERT-FI will make a formal advisory about them, he says.
"We talk to the vendors until we feel that delaying the case further won’t give us any more benefit," he says.
Stonesoft's announcement of AETs today is out of sync with CERT-FIs formally advisory, but he says that is because Stonesoft happens to be a vendor, not just a researcher. "This issue is a bit exceptional and they are a commercial entity with their own business interests," he says.
He says he hopes vendors can get fixes out by the end of the year. "Vendors have their own schedules," he says.Businesses that rely on IPSs should query their vendors about whether they are vulnerable to AEPs, Boltz says. In general, businesses should make sure their IPS software is kept updated and to be aware of what certifications the products have and what those certifications mean, says Walsh. A device may have ICSA certification, for example, but customers should check what test set the devices were tested agains, he says.
Read more about wide area networks in Network World's Wide Area Network section.