I would echo Marty's earlier comments on normalization and bifurcation, and would like to add that Check Point IPS-1 (formerly NFR Sentivist) has been trumpeting dynamic POF-based evasion resistance for about four years. Reassembly is adjusted on a per-session basis internally by the sensor, with no user interaction or configuration necessary. IPS-1 makes the fingerprint database accessible to the user, so if there does happen to be a mismatch, then at the very least, you can report it to Check Point, and if you're an advanced user, then you can even correct the fingerprint yourself.
As much as we hear theoretical objections to the feasibility of this approach, it has been quite successful in practice. Trillions and trillions of packets that have passed through the sensors that I've supported at NFR and Check Point over the years, and I can easily count on one hand the number of times the POF-based Smart Reassembly feature has so much as come under suspicion as an impediment to proper IPS function. It is enabled by default, too. This is not to say the POF is perfect, because it is not. Fingerprints are constantly changing with new patch levels and service packs. However, the approach we've taken appears to add value without introducing discernible risk. Search for the Whitepaper entitled "Ambiguity Resolution via Passive OS Fingerprinting" by Greg Taleck for very detailed info on this approach. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Steve Reinhardt > Sent: Wednesday, December 19, 2007 8:15 PM > To: [email protected] > Subject: Preventing layer 3/4 evasions > > I'm curious about the market status quo and trends in the area of how > network IDS/IPS products are dealing with layer 3/4 evasion techniques > (a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl > tricks, etc.). The Handley/Paxson/Kreibich paper from Usenix01 lists > three approaches (not counting "use a host-based IDS" :-) ): > 1. inline normalization > 2. profiling the intranet and using target-specific algorithms > 3. bifurcating analysis > > From what I've read, Snort is going route #2, with the Sourcefire RNA > system doing the profiling. > > - Is there any public information regarding which approach (if any) > other commercial systems are using? > > - Does Snort's decision indicate any sort of consensus that #2 is the > best approach, or would that be considered controversial? (Clearly #3 > isn't practical as a general technique, but the Handley paper seems to > make a good case for #1.) > > - Do you all feel that existing approaches (like Snort's, or perhaps > some commercial implementation of #1) are adequate, or is there a need > for a more robust solution? > > Basically we've had some ideas in this space and are trying to figure > out whether they're worth pursuing... guess I should add "If so, how > much would you pay for it?" to the last question :-). > > Thanks! > > Steve > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign= > intro_sfw > to learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
