What is the best way to harden an enterprise network against advanced evasion techniques (AETs)? I see vendors coming out with software that uses this same idea to prod a network's perimeter for holes. Furthermore, what's the best way to track down the source of AETs?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous.)
AETs were dreamed up in a vendor laboratory, so I'm not convinced that AET attacks are a prevalent problem at this point. In a nutshell, an AET attack involves manipulating packets at various layers of the Open Systems Interconnection model with the end goal of confusing network intrusion detection and prevention systems (IDS/IPS). So if the packet is manipulated at the IP layer, most IDS/IPS products are adept at catching such an event, but if the packet is manipulated simultaneously at the IP and session layers, most IDS/IPS systems don't know how to process this.
Yes, there is software and hardware on the market right now that will help to prevent the infamous AET attack, but the vendors who are peddling these products are some of the same ones that invented the concept in the first place. I'm not saying that AET attacks won't at some point be prevalent in the wild, but in comparison with the dreaded DDoS attack, AET attacks aren't even in the same ballpark. If your organization insists on deploying a defense against AET attacks, then I suggest considering vendors such as Stonesoft that have a focus on AET mitigation for your software and hardware needs.
As far as tracking down the source of AET attacks, you could use some of the same techniques that are used in other attacks: Examine the network routing information, take note of which autonomous system the packets are coming from, and try obtaining the cooperation of your ISP.
This was first published in August 2013