Posts Tagged ‘IPS’

Modern firewalls and IPS evasion techniques

September 16, 2014 Leave a comment

I have just had a quick glance on Internet (God bless Google) looking for reviews of evasion techniques to bypass modern firewalls. It’s amazing how vendible all these “independent” security laboratories are! The amount of s$$t some companies manage to pour onto their competitors is beyond any imagination. But as soon as you see some good results you either cannot find exact conditions and configurations used in a test or (surprise!) the winning firewall appears to be manufactured by the same company that created the testing tool and paid for the test 🙂

Though, to be fair, the Evader, being made by Stonesoft (now McAfee), is the most popular tool used to practice IPS evasion techniques.

I found only one resource clearly explaining test conditions and, as a result, the outcome of the test looked fair.

Here is a quick list of popular techniques (details are in the whitepaper referenced above).

  1. Payload obfuscation and encoding (overcoming simple string matching filters)
  2. Encryption and tunneling
  3. Wrapping TCP sequence numbers
  4. Fragmentation (splitting malicious packets into smaller fragments)
  5. Protocol violations and decoy trees

So, long story short, if you have an IPS protecting a host you should not assume it’s unbreakable because of this fact and does not require any patching. If you have an unpatched vulnerability exposed to attacks, it’s sudden death is only a matter of time – easy peasy lemon squeezy with most modern IPSes. Here comes a concept of multi-layer protection – use a firewall, IPS, load balancer, web application firewall, patching, secure coding techniques and hardening altogether. Not to mention compulsory professional pen. tests (screw dumb ASV scans! :)) Then you should be good (though it’s all likely to be expensive as you may guess).