StoneBlog.stonesoft.com

The team at Stonesoft is thrilled to announce that the StoneGate IPS outperformed several of the industry’s leading network IPS devices in a recent test conducted by ICSA Labs. In this test, network IPS devices were tested from the industry’s top vendors against vulnerabilities less than three months old.

In ICSA Labs’ initial test, products scored an effectiveness rating of between 59.4 percent and 78.1 percent. After being allowed to modify their products to better protect against current security threats, final tests showed an effectiveness rating of between 81.3 percent and 90.6 percent. Stonesoft’s StoneGate IPS-1205 performed at the highest end of the range for both tests with a 78.1 rating for the initial test and a 90.6 rating for the final test.

If you want to read the full report and individual vendor scores, it’s available on ICSA Labs’ Quarterly Network IPS Vulnerability Testing page, including individual vendor scores.

In addition, our IPS has been nominated in SC Magazine’s Reader Trust category for Best IPS. We encourage you to support Stonesoft by voting! Click here to vote.

As we continue to make strides in our evasion research, we look forward to maintaining the highest performance and protection across our portfolio of IPS solutions. As always, let us know what you think, what we can do better and so forth. We take a team approach here at Stonesoft – and everyone of our customers, partners and colleagues play a valuable role.

written by heather.pritchett - 661 views

According to Sari Kajantie from the Finnish National Bureau of Investigation (NBI) in Helsingin Sanomat, the biggest national newspaper in Finland on 4 August 2011: “It is not the fault of the employee who has opened the attachment, if the hacker can access all company data from a single laptop.”

Companies need to pay much more attention to their internal network activities and traffic. It should not come as a surprise to anybody that individual laptops are compromized. Workstation networks must be separated from the servers by firewalls and intrusion prevention systems; not only by installing these devices, but also by paying attention to rules and monitoring their alerts.

Continue reading »

written by Ari Vänttinen - 939 views \\ tags: Advanced Evasion Techniques, AET, Context and situation awareness, cybersecurity, IT security, risk management, Security, security threat, SMC

Just before the world’s best hackers and network security leaders converged in Las Vegas for Black Hat, Stonesoft spoke with Bill Jackson at Government Computer News. Bill was undoubtedly getting ready for a week of the latest and greatest hacking techniques and vulnerabilities – but he wanted to discuss something different: AETs. Ten months ago, Stonesoft’s discovery of AETs was made public. Bill wanted to know what had happened since then, what was the industry doing, etc. What has happened since then?

Nearly a year after their discovery and disclosure, AETs aren’t exactly “news.” But, the problem hasn’t gone away by any stretch of the imagination. The pcaps of the first 23 AETs discovered are available for public download. The article reminds us that the network security industry – more than ever before – must be kept accountable and proactive.

You can read the article, but the gist is that the network security industry is still lagging behind in their response to the threat of AETs. Only six of about 60 vendors have updated their tools to the first release of 23 AETs. Last winter, 100+ new AETs were disclosed. The reaction? Crickets. Nada. Nothing.

GCN’s coverage of AETs once again pointed out a fatal flaw in network security. Too often, people focus on the new and exciting rather than the persistent, existing challenges that have yet to be solved, as is the case with AETs. The thousands of unexplained attacks that cost companies billions of dollars of year are a red flag. Understanding your vulnerability to these attacks is the first step in protection.

See also the Black Hat Infosec Island video interview for additional coverage of AETs at the event.

written by markb - 582 views \\ tags: evasion, intrusion prevention, security threat

Read what head of Stonesoft´s vulnerability research team says about the challenges in evasion protection.

Dealing with evasions by Olli-Pekka Niemi

written by Ari Vänttinen - 773 views \\ tags: AET, intrusion prevention, network security, risk management, Security, security threat, stonesoft, Tips & Tricks, Training

The recent list of successful cyber attacks is getting longer and more severe, with the IT security landscape changing fast. By now, everyone knows this. Every second some organization is being attacked, and yet the criminals remain untouched. Why? Because they are improving their tools and methods so quickly that the industry and organizations can not keep up. During recent years, the gap between defense and offense has become quite narrow, but seems to be growing again.

Continue reading »

written by Ari Vänttinen - 791 views \\ tags: AET, attacks, IT security, network security, risk management, security governance, security threat

Curious about all the talk around advanced evasion techniques (AETs), and want to learn more? Already read the details available at www.antievasion.com and want to see more proof? Then be sure to sign up for one of our upcoming Webinars providing an overview of evasion research and demonstrating AETs using our TCP/IP fuzzing tool, Predator. If you’re not able to attend the next Webinar, be sure to contact your local Stonesoft sales representative for more details on the next schedule.

written by markb - 702 views \\ tags: AET, evasion, Intrusion, IPS

Recently the information security landscape was abuzz over findings from a recent NSS Labs report on firewalls, wherein products were found to be vulnerable to a TCP split handshake attack. This attack concept was based on research by Tod Beardsley and Jin Qian of BreakingPoint Systems.

Normally, TCP is considered to use a “three-way handshake”, where applications start sessions with a SYN, which response is a SYN/ACK, followed by a corresponding ACK from the originator of the session, as outlined in RFC 793. What Beardsley and Qian noticed is that the RFC actually spells out in section 3.3 a four way process, and states that “steps 2 and 3 can be combined in a single message”. Note that although this is the typical way systems handle it, there is no requirement to combine the SYN and ACK of the recipient.

Without getting into the further nitty-gritty details, the bottom line of the research and the recent testing is that stateful network security devices relying on an expected handshake sequence can be fooled into thinking that a connection is originating from a trusted segment instead of from the actual source. Although Stonesoft was not a tested vendor we decided to independently verify StoneGate’s handling of this situation. You can read more about the issue in various articles, such as The CyberJungle, or Government Security News.

Stonesoft’s research team, the Vulnerability Analysis Group tested both the StoneGate IPS and StoneGate Firewall/VPN, using the same BreakingPoint tests as outlined in the research paper. Our initial conclusion is that neither product is affected by this issue. For the StoneGate IPS, a four or five-way handshake will fail to hide the payload (direction) from the IPS, with the four-way flagged as “TCP_Segment-SYN-Unexpected-Reply”, and the five-way scenario [which is also very unlikely in real-world environments] as “TCP_Window_Shrinked”. The four-way handshake situation is not set to terminate by default, but it can easily be set if conditions or policy warrant.

For the StoneGate Firewall/VPN, the behavior is dependent on an Advanced property of the firewall or firewall cluster, whether it operates in loose, normal, or strict mode, and the behavior is further influenced by whether traffic in any given rule is inspected or anti-virus applied. With inspection and anti-virus, attacks in the payload are detected regardless of the handshake mechanism. Loose and normal mode with no additional inspection methods will permit the handshake. Strict mode will drop the connection. In any situation, the StoneGate Firewall/VPN will not be confused as to the origin of the session, so the bottom line is as with all security policies in StoneGate: what is not expressly permitted, is denied.

Stonesoft looks forward to the opportunity to participate in future tests and supports community efforts to drive improved testing of network security systems. Only by bettering testing efforts can we continue to ensure our solutions remain

Network Security. Simplified.

written by markb - 1,362 views \\ tags: information assurance, security threat, stonegate

Bob Walder from Gartner  was visiting at annual Stonesoft Customer Advisory Board at Cannes France, delivering an excellent speech.

written by RoarinPenguin - 980 views \\ tags: Advanced Evasion Techniques, AET, anti-evasion, Bob Walder, evasion, Gartner, IPS

…don’t miss the sixth episode of The Adventures of Antti Pilvinen, which has just been published

Happy reading,

The RoarinPenguin

written by RoarinPenguin - 668 views \\ tags: layered security, StoneGate Network Security Platform, The Adventures of Antti Pilvinen

According to Frost and Sullivan, global spending on intrusion detection and prevention technologies in 2010 exceeded $ 1.5 billion USD. At the same time, organizations are growing increasingly concerned by attack sophistication, such as Stuxnet, APTs, and the recent incidents involving RSA and Comodo. Yet, what if the first factor was rendered completely ineffective, and the second increased in its success? If all that money goes down the drain due to ineffective technologies, and sophistication is increasing, what do we do next?

Last October, Stonesoft made friends and enemies alike with its announcement regarding research in advanced evasion techniques and their disclosure to CERT-FI for vulnerability coordination. The subsequent disclosure at RSA that an additional 124 techniques were disclosed on top of the original 23 was met with even more resounding silence.

What’s interesting is that all of the discussion focuses around irrelevant sidebars. Bob Walder of Gartner and NSS Labs have discounted the threat of AETs as “yesterday’s news”; after all, evasions aren’t new, so what’s the big deal? And granted, Bob does know a thing or two about evasions; as one of the founders of NSS Labs, he’s a pretty sharp guy and created a few evasions of his own back in the day. The second sidebar centers around the likelihood of AETs being seen in the wild. No one has heard or seen of them being used, so clearly they must not exist.

Yet I would say that these are distractions from the real issue: old or new, in use or not, the bottom line is : advanced evasion techniques work. They work against just about every IPS technology on the market and in your network today. They enable the delivery of any exploit to vulnerable systems at any time, without detection or notice. But don’t take our word for it. Contact us and we’ll be happy to demonstrate for you. Read the validation of third party testing. Or even better, test it yourself. We’ve now made the first AET samples, originally provided to CERT-FI last year available at www.antievasion.com.

Does it matter how old it is? No, unlike a fine wine, AETs don’t get better or worse with age. They simply are. They work.

And in most cases, they work well. Against any IPS technology, next generation firewall, content scanning system, or Web application firewall. Why? Because vendors have typically focused on providing you, the customer, with what you ask for rather than what you need. They design systems that favor performance shortcuts vs. real security. They’d rather invest in nice marketing materials than in an effective normalization engine that still maintains decent throughput.

Wouldn’t you rather have a vendor interested in making a better, more effective security technology for today’s threats? One that is more manageable, scalable, and simplified than what you’re doing now? Again, don’t take our word for it. Try it yourself. Learn why Stonesoft’s security solutions are:

Network Security. Simplified.

written by markb - 729 views \\ tags: AET, evasion, Intrusion, IPS, stonegate, stonesoft