IDS mailing list archives
Re: Preventing layer 3/4 evasions
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 7 Jan 2008 11:36:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Sorry, fat fingered the send key on the prior post.] Hi Steve,
I'm curious about the market status quo and trends in the area of how network IDS/IPS products are dealing with layer 3/4 evasion techniques (a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl tricks, etc.). The Handley/Paxson/Kreibich paper from Usenix01 lists three approaches (not counting "use a host-based IDS" :-) ):1. inline normalization 2. profiling the intranet and using target-specific algorithms 3. bifurcating analysisFrom what I've read, Snort is going route #2, with the Sourcefire RNA system doing the profiling.- Is there any public information regarding which approach (if any) other commercial systems are using?
As far as I can tell most of the commercial systems that are available today use static configuration for layer 3/4 anti-evasion where they allow configurability at all. Some of the vendors appear to be taking advantage of the fact that they run inline to perform some level of normalization but for the most part commercial systems don't allow you to do very much at all, especially not in a way that reflects the dynamic nature of the networks in which the devices are installed.
- Does Snort's decision indicate any sort of consensus that #2 is the best approach, or would that be considered controversial? (Clearly #3 isn't practical as a general technique, but the Handley paper seems to make a good case for #1.)
Nope, it reflects my bias. :) My bias is based on my experiences of the past 10 years as well as the realities associated with deploying these technologies, so there is a decent amount of thought behind them.
I'll comment on the methods. 1) Inline normalization* Pros: Removes traffic anomalies so the codepaths for anti-evasion mechanisms are simpler. One scrubber allows all devices behind it to enjoy a normalized packet stream. Doesn't have to care about or track the network it's protecting so the normalization technology is simpler and, in theory, very robust.
* Cons: Deploying an inline device has very different requirements for uptime, latency and performance across the device than the passive devices it's aiding. Some organizations react very negatively to introducing inline packet mangling devices. Packet scrubbers can also interfere with some useful functions like passive OS fingerprinting. Provides no coverage for evasive attackers behind the device.
2) Network profiling and context-based analysis* Pros: Doesn't require an inline device and concomitant political/ technical signoff. Able to profile all devices continuously (assuming optimal deployment) and dynamically update IDS/IPS. Gathered information has uses beyond just straight anti-evasion.
*Cons: Getting full coverage of the network can be challenging. Bad profiles skew the anti-evasion models. Data management and communication can be a challenge. Network traffic analyzers have to be modified to work with the data produced by the context generator.
3) Bifurcation. Well, suffice to say I just think bifurcation is a bad idea.
- Do you all feel that existing approaches (like Snort's, or perhaps some commercial implementation of #1) are adequate, or is there a need for a more robust solution?
I think that the methods we've deployed in Snort and the ones we're working on for the next generation of Snort engine are certainly adequate. It seems to me that evasion is moving much more heavily to layer 7 anyway so perhaps it's a moot point.
-Marty
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHglUMqj0FAQQ3KOARAmlXAJsEAc1NJVDlJDk9iM6O5Yvafl5xWwCdGsQX
U9zPQiogku74Q0gPgvs63Ns=
=dbz7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Preventing layer 3/4 evasions Martin Roesch (Jan 07)
- Re: Preventing layer 3/4 evasions Jeremy Bennett (Jan 09)
- <Possible follow-ups>
- RE: Preventing layer 3/4 evasions Mike Barkett (Jan 07)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Re: signature based IDS/IPS effectiveness Stefano Zanero (Jan 09)
- Looking for feedback on anomaly-based IDS systems Libershal, David M. (Jan 09)
- Re: Looking for feedback on anomaly-based IDS systems p1g (Jan 10)
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)
- Re: signature based IDS/IPS effectiveness GMail (Jan 10)
- RE: signature based IDS/IPS effectiveness Nelson Brito (Jan 10)
- Re: signature based IDS/IPS effectiveness Paul Schmehl (Jan 10)
- signature based IDS/IPS effectiveness GMail (Jan 09)