Research Describes Advanced Techniques To Bypass Firewalls

New security evasion techniques can be used to get through firewalls, researchers contend.

The threats haven't been seen in the field as yet. However, researchers at Stonesoft, a Finnish security company, say say they have identified a new set of advanced evasion techniques (AETs) that can be delivered to a network via port 80 HTTP traffic. AETs expand on a class of techniques that were described by the company last year.

The finding means that AETs can pass undetected by firewalls, which ramps up the threat posed by exploits using the techniques, said Brian Vosburgh, security solutions architect for Stonesoft.

"It's not necessarily unexpected," Vosburgh said of the new vector. "It expands the reach of AETs. It becomes a firewall issue, not just an intrusion prevention system issue."

Vosburgh said the company has reported 163 new AETs to the Finnish Computer Emergency Response Team.

Advanced evasion techniques are combinations of simple evasion techniques that can be used to get around standard security tools, such as intrusion detection and prevention systems, that might detect a stand-alone trick. Because they can use multiple combinations of simpler components, there are hundreds of thousands — if not millions — of potential AETs. The value of identifying a few hundred possible technique combinations lies in raising the profile of the threat, Vosburgh said.

"It's about driving industry to address traffic normalization," he said.

The company says what is needed to counter this class of threats is better normalization of TCP/IP traffic by network defenses to strip away the evasive tricks and expose the exploits. Progress should be possible through upgrades of current products without requiring wholesale replacement of the security infrastructure.

Evasion techniques have been around for quite a while, and the company began researching the subject in 2009 as part of an effort to see how well its own products identified and responded to them. Stonesoft found that some combinations of techniques were able to slip through undetected and identified 23 AETs last year that tools from other companies also did not detect. It identified another 124 early this year.

The techniques manipulate TCP/IP protocols that underlie the Internet and other IP networks, using tricks such as packet fragmentation and TCP segmentation. Breaking up an exploit and putting it into packet fragments, for instance, can confuse intrusion prevention systems. But the packets will be reassembled by the host device being attacked.

The same types of tricks also can be used with the HTTP and HTTPS protocols, Stonesoft says.

Industry response to the new class of threats has been muted somewhat because, a year after the initial announcement, there still are no verified cases of threats in the wild using AETs. CERT-FI, Finland's Computer Emergency Response Team, has coordinated the release of vulnerabilities found by Stonesoft to IPS vendors, some of which have begun efforts to block and report the attacks.

Vosburgh said the industry is beginning to pay attention to the issue.

"I don't want to give the impression that the industry has made great strides in protecting against AETs," he said. "It hasn't, and there is still a lot of work that needs to be done around inspection, detection and traffic normalization. However, in the past year, we've crossed a major hurdle, which has been getting the network security community to understand just how serious and dangerous AETs are."

Testing labs and research facilities are beginning to incorporate AETs into testing methodologies and criteria, Vosburgh said, and vendors have started thinking about protection against them.

"In sum, the vendor community is at a point of 'Hey, we get it. We're taking it seriously'," he said.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

comments powered by Disqus