RE: Preventing layer 3/4 evasions

["Srinivasa R. Addepalli" <Srao () Intoto com>]

Typical inline IDS/IPS devices follow the approach of normalization of
IP fragments, TCP out-of-sequence packets and others.  Since it is in
line of traffic, this is possible to do and I guess most of IDS/IPS
devices do this.

If IDS/IPS devices are doing analysis on sniffed traffic, then profiling
of target and normalizing the traffic based on the target are very
important to do further analysis on the traffic.

Srini


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Steve Reinhardt
Sent: Wednesday, December 19, 2007 5:15 PM
To: focus-ids () securityfocus com
Subject: Preventing layer 3/4 evasions

I'm curious about the market status quo and trends in the area of how 
network IDS/IPS products are dealing with layer 3/4 evasion techniques 
(a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl 
tricks, etc.).  The Handley/Paxson/Kreibich paper from Usenix01 lists 
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis

 From what I've read, Snort is going route #2, with the Sourcefire RNA 
system doing the profiling.

- Is there any public information regarding which approach (if any) 
other commercial systems are using?

- Does Snort's decision indicate any sort of consensus that #2 is the 
best approach, or would that be considered controversial?  (Clearly #3 
isn't practical as a general technique, but the Handley paper seems to 
make a good case for #1.)

- Do you all feel that existing approaches (like Snort's, or perhaps 
some commercial implementation of #1) are adequate, or is there a need 
for a more robust solution?

Basically we've had some ideas in this space and are trying to figure 
out whether they're worth pursuing... guess I should add "If so, how 
much would you pay for it?" to the last question :-).

Thanks!

Steve

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


************************************************************************
********
This email message (including any attachments) is for the sole use of
the intended recipient(s) 
and may contain confidential, proprietary and privileged information.
Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the
intended recipient, 
please immediately notify the sender by reply email and destroy all
copies of the original message. 
Thank you.
 
Intoto Inc. 


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------