Defeating AETs involves utilizing a data stream-based approach with layered protocol analysis. All data traffic must be recorded and analyzed with the utmost precision. Doing this requires multiple parallel and sequential state machines through which the data stream is fed and all data traffic is analyzed by default.
The lower protocol layers must be examined, with the security device only passing slightly modified or non-modified TCP segments and IP fragments. Those that contain overlapping data or conflicting data are not passed through, resulting in an effective normalization. This process ensures network traffic passing through the IPS is interpreted and the data stream reconstructed for inspection and analysis in the upper layers. Secondly, it is essential the TCP layer is inspected as a reassembled data stream, rather than in segments. Assembling the data transmitted in a TCP connection into a data stream provides detection of attacks in the stream that individual segment inspection may miss if the attack stretches across TCP segment boundaries. Finally, the higher protocol layer inspection must have the capability to inspect certain protocol elements in greater detail. This can be done by inspecting those elements as separate data streams and then normalizing them as per the protocol.
One of the most worrisome and potentially crippling threats to next-generation infrastructures is Advanced Evasion Techniques (AETs), which are being used more and more by cyber criminals because AETs leave no trace to current management and monitoring systems, logs or reports – leaving the devices blind and creating an illusion of continued security. Since their discovery, many companies have not taken the proper security measures to effectively thwart AETs. Still, the threat posed by AETs is real and there are steps that must be taken to protect your environment. This slideshow features nine tips, provided by Stonesoft, to help you secure against AETs.