All IDS and IPS are vulnerable.
Moore et al listed dozens of different known IDS/IPS evasion attacks, at
different OSI layers and network protocols. These attacks can be mounted in
many different ways to evade different solutions. Some of the attacks they
discuss in the presentation (insertion, fragmentation) are almost a decade old
and still work (with the caveat that some attacks may require knowledge of the
OS and configuration of the IPS and target host to guarantee successful
evasion).
For example, most IDS / IPS have a choice of reassembling packets and decoding
packet payload in one or a few ways, but cannot inspect using every possible
way. The Moore presentation gives at least five different ways overlapping
packet fragments can be reassembled by different OSes. Mount the attack in one
way to evade some IDS/IPSes, or mount it in another way to evade most of the
others.
Moore also reminds us that most solutions don't detect attacks within traffic
encrypted by SSL / SSH, etc. All IPS solutions can be fooled by a flood of
spoofed attacks that fill up the logs with attacks, hiding the real attack.
And most all solutions have hardware limitations such as memory and CPU limits
that both put it at risk to a flood-type of attack, and prevent it from being
able to inspect all traffic in all possible ways.
An IPS that tried to inspect packets with all possible methods, in order to
have decreased chance of missing attacks, would then be at increased risk of a
denial of service attack, at which point an IDS would miss attacks or an IPS
would cause degraded network performance. No IDS vendor wants their product to
cause network latency. So most all IDS / IPS solutions strike a trade off
between risk of false negatives and risk of IDS denial of service. Just what
kind of balance you actually get depends only somewhat on whose product you
buy... depending as much or more on how you configure your IDS / IPS once you
get it.
Like almost every other security countermeasure out there, IDS and IPS are best
effort solutions that MANAGE and REDUCE risk, not eliminate it. If you're
looking for information to help you choose the most secure IPS, know that all
of them are vulnerable to evasion. There is no one single magic bullet you can
buy that is universally the "best" solution for everyone. I think success with
IDS and IPS involves being aware of this and managing expectations.
I don't know if they verbally described some new vendor-specific evasion
technique that I didn't see in the posted presentation, but I don't see how
that could matter very much for your purposes, given how successful all of the
old evasion techniques continue to be.
The good news for you is that most attacks still don't bother all that much
with evasion techniques, because in so many cases, attacks can go on
unconcealed and not be noticed for a long time. Besides, IDS can still be
helpful in detecting evasion and the resulting compromises, via signatures to
detect fragmentation, anomaly-based detection to notice changes in activity,
host-based IDS that monitor logged activity, etc. Many of these attacks listed
by Moore can be detected by security software on the host, because at some
point the attack must be decoded and normalized to be executed by the host
software.
www.blackhat.com/presentations/bh-usa-06/BH-US-06-Caswell.pdf
www.darkreading.com/document.asp?doc_id=99581&print=true
http://insecure.org/stf/secnet_ids/secnet_ids.html
kind regards,
Karl Levinson
http://securityadmin.info
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
