Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Preventing layer 3/4 evasions

from [Vern Paxson] Network Security [Permanent Link]
Subject: Re: Preventing layer 3/4 evasions
Date: Sat, 22 Dec 2007 23:48:22 -0800 
I'm curious about the market status quo and trends in the area of how 
network IDS/IPS products are dealing with layer 3/4 evasion techniques 


As far as I've been able to determine, it's in fact difficult to discern
just what IDS/IPS products do about evasion and how effectively.  Many of
them state that they're evasion-resistant, but there aren't enough particulars
to understand how strong the claims might be.  To this end, I'm currently
working with Christian Kreibich and some colleagues on developing a framework
for testing an IDS/IPS for its vulnerability to a variety of layer 3/4/7
evasions, as I think this problem remains under-addressed by vendors and
underappreciated by customers.  If we can work towards some community
evasion benchmarks, this will help provide market pressures to strenghen
products with better evasion resilience.  (Some IDS tests already include
evasion evaluations, but to my knowledge the tests are proprietary and so
it's difficult externally to gauge the significance of the results they
produce.)


... The Handley/Paxson/Kreibich paper from Usenix01 lists 
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis


Note, scheme #3 (as noted in the paper) is fundamentally limited.  There's
also a 4th approach, which is to have the end system work in conjunction
with the NIDS in real-time.  See for example our paper

        H. Dreger, C. Kreibich, V. Paxson and R. Sommer, Enhancing the
        Accuracy of Network-based Intrusion Detection with Host-based
        Context, Proc. Conference on Detection of Intrusions and Malware
        and Vulnerability Assessment (DIMVA) 2005.

        http://www.icir.org/vern/papers/dimva05.pdf


 From what I've read, Snort is going route #2, with the Sourcefire RNA 
system doing the profiling.


By the way, we also have a paper on this approach:

        U. Shankar and V. Paxson, Active Mapping: Resisting NIDS Evasion
        Without Altering Traffic, Proc. IEEE Symposium on Security and
        Privacy, May 2003.

        http://www.icir.org/vern/papers/activemap-oak03.pdf

One significant difficulty is the mapping information becoming out
of date due to churn.


- Does Snort's decision indicate any sort of consensus that #2 is the 
best approach, or would that be considered controversial?


I would certainly say (speaking from the ivory tower) that there isn't
consensus for #2, and my own leaning is towards #1.

                Vern

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Normalizing Logs, p1g
Next by Date:  RE: Preventing layer 3/4 evasions, Srinivasa R. Addepalli
Previous by Thread:  Preventing layer 3/4 evasions, Steve Reinhardt
Next by Thread:  RE: Preventing layer 3/4 evasions, Srinivasa R. Addepalli
Indexes:  [Date] [Thread] [Top] [All Lists]