Preventing layer 3/4 evasions

[Steve Reinhardt <stever () reservoir com>]

I'm curious about the market status quo and trends in the area of how 
network IDS/IPS products are dealing with layer 3/4 evasion techniques 
(a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl 
tricks, etc.).  The Handley/Paxson/Kreibich paper from Usenix01 lists 
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis

From what I've read, Snort is going route #2, with the Sourcefire RNA 
system doing the profiling.

- Is there any public information regarding which approach (if any) 
other commercial systems are using?

- Does Snort's decision indicate any sort of consensus that #2 is the 
best approach, or would that be considered controversial?  (Clearly #3 
isn't practical as a general technique, but the Handley paper seems to 
make a good case for #1.)

- Do you all feel that existing approaches (like Snort's, or perhaps 
some commercial implementation of #1) are adequate, or is there a need 
for a more robust solution?

Basically we've had some ideas in this space and are trying to figure 
out whether they're worth pursuing... guess I should add "If so, how 
much would you pay for it?" to the last question :-).

Thanks!

Steve

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------