Firewalls defenseless against new attack technique

"Why are apparently well-defended networks belonging to the government, military and monied corporates falling to large-scale targeted attacks so regularly?

According to Finnish security vendor Stonesoft, part of the answer could lie with what the company terms ‘Advanced Evasion Techniques’ (AETs), jargon for an obscure class of packet-based probing at the ground level of the TCP/IP stack that firewalls are designed to stop."

http://news.techworld.com/security/...ss-against-new-attack-security-vendor-claims/

A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach.

Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits. AETs are already in circulation on the net as part of targeted attacks and offer a mechanism to bypass static network security systems before attacking exposed enterprise servers, such as ERP or CRM systems, and swipe confidential information.

The new advanced evasion techniques threat category involves simultaneously combining different evasion techniques in several layers of targeted network, thus blindsiding security tools. From descriptions we've seen it might be compared to a sleight of hand rather than a Jedi mind trick. Even so it's still potentially effective.

http://www.theregister.co.uk/2010/10/18/aet_hack_technique/

 

Now that it is public knowledge will it be fixed, can it be fixed?

I remember watching a show on the History Channel about Cyber Espionage.
The DoD Cyber Inteligence Officer stated, "Firewalls are ineffective, we (the DoD) focus on detecting intrusions into our systems."

 

[noparse]http://www.youtube.com/officialantievasion#p/a/u/1/JvD2FlMsy8c[/noparse]
Why does the guy get winded after only 2 minutes into the video?

 

From Stonesoft Claims To Find More Evasion Techniques in Security Products:

 

Since I don't use a firewall, I am safe then, right

Sul.

 

Thanks for posting the register link up there. If you haven't done so, please read the comment too. They are often quite funny and most importantly a healthy dose of reality check...
What a load of rubbish. But what's even worse is the "news" reporting on IT, security in particular.

 

Funny thing Stonesoft would have to agree with that.
Don't run any vulnerable services, if you have to run LAN or net facing services protect them as good as you can by hardening, sandboxing and access control.
Though a firewall rule that whitelists specific domains/Ip addresses would add some defense in depth and certainly doesn't make you more vulnerable.

This anti evasion talk is more targeted at NIPS which are often used instead of patching services. Everybody knows this is a flawed method given that it's based on the assumption that your network behind the IPS is secure and trustworthy and that there are no ways to trick the detection.
The first one is obviously dangerous the second one becomes clear when you think about IDS/IPS like an AV: They can only protect against known threats. But even the oldest virust stays undetected if it uses morphing and encryption and is well designed so it stays under the radar for both signature and heuristic detection.
If you took a different approach, a policy based proactive approach using a firewall you could make a rule that says:
Only allow traffic I know and want to reach my services, throw everything else away.
You can compare that to an anti-executable rule which whitelists applications instead of "enumerating badness" (google it). My analogy isn't perfect but it's some food for thought.

The thing is, this is nothing new and talk like "we can't tell you what we discovered because that we would help the bad guys" and further in their youtube video "the best solution is one where your IPS can update its "definitions" very fast" is big marketing BS. They don't tell us the root cause and they don't even try to tackle the root cause. Instead they do what the "industry" has been doing: fighting the symptoms (and milking their customers for subscription fees) while telling everyone how they help the whole industry to get the upper hand against the bad guys.
That's so laughably stupid that I won't have to further comment on that.

 

don't forget those hacked system use BSD and *NIX flavors and very stable software.