Research Describes Advanced Techniques To Bypass Firewalls

New security evasion techniques can be used to get through firewalls, researchers contend.

The threats haven't been seen in the field as yet. However, researchers at Stonesoft, a Finnish security company, say say they have identified a new set of advanced evasion techniques (AETs) that can be delivered to a network via port 80 HTTP traffic. AETs expand on a class of techniques that were described by the company last year.

The finding means that AETs can pass undetected by firewalls, which ramps up the threat posed by exploits using the techniques, said Brian Vosburgh, security solutions architect for Stonesoft.

"It's not necessarily unexpected," Vosburgh said of the new vector. "It expands the reach of AETs. It becomes a firewall issue, not just an intrusion prevention system issue."

Vosburgh said the company has reported 163 new AETs to the Finnish Computer Emergency Response Team.

Advanced evasion techniques are combinations of simple evasion techniques that can be used to get around standard security tools, such as intrusion detection and prevention systems, that might detect a stand-alone trick. Because they can use multiple combinations of simpler components, there are hundreds of thousands — if not millions — of potential AETs. The value of identifying a few hundred possible technique combinations lies in raising the profile of the threat, Vosburgh said.

"It's about driving industry to address traffic normalization," he said.

The company says what is needed to counter this class of threats is better normalization of TCP/IP traffic by network defenses to strip away the evasive tricks and expose the exploits. Progress should be possible through upgrades of current products without requiring wholesale replacement of the security infrastructure.

Evasion techniques have been around for quite a while, and the company began researching the subject in 2009 as part of an effort to see how well its own products identified and responded to them. Stonesoft found that some combinations of techniques were able to slip through undetected and identified 23 AETs last year that tools from other companies also did not detect. It identified another 124 early this year.

The techniques manipulate TCP/IP protocols that underlie the Internet and other IP networks, using tricks such as packet fragmentation and TCP segmentation. Breaking up an exploit and putting it into packet fragments, for instance, can confuse intrusion prevention systems. But the packets will be reassembled by the host device being attacked.

The same types of tricks also can be used with the HTTP and HTTPS protocols, Stonesoft says.

Industry response to the new class of threats has been muted somewhat because, a year after the initial announcement, there still are no verified cases of threats in the wild using AETs. CERT-FI, Finland's Computer Emergency Response Team, has coordinated the release of vulnerabilities found by Stonesoft to IPS vendors, some of which have begun efforts to block and report the attacks.

Vosburgh said the industry is beginning to pay attention to the issue.

"I don't want to give the impression that the industry has made great strides in protecting against AETs," he said. "It hasn't, and there is still a lot of work that needs to be done around inspection, detection and traffic normalization. However, in the past year, we've crossed a major hurdle, which has been getting the network security community to understand just how serious and dangerous AETs are."

Testing labs and research facilities are beginning to incorporate AETs into testing methodologies and criteria, Vosburgh said, and vendors have started thinking about protection against them.

"In sum, the vendor community is at a point of 'Hey, we get it. We're taking it seriously'," he said.

About the Author

William Jackson is the senior writer for Government Computer News (


  • How To Create a Windows Deployment Image, Part 1

    While there are various methods for creating custom Windows deployment images, the process has a reputation for being tedious and convoluted.

  • Azure Cost Management Now Commercially Available for Some Tenancies

    Microsoft on Monday announced that its Azure Cost Management feature had reached the "general availability" release stage for both Azure "pay-as-you-go" customers and Azure Government tenancies.

  • Microsoft Bringing Files Restore Capability to SharePoint Online and Teams

    Microsoft on Monday announced that it's delivering its Files Restore feature for SharePoint Online and Microsoft Teams to Office 365 tenancies as early as this month.

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.