A couple days ago, Stonesoft did something interesting when they stated publically, and in dramatic fashion, something that everyone in the network security community has known from the start: With sufficient resources and determination, you can break into anything.
They spun fascinating tales about the vulnerabilities they discovered which leveraged default behaviors of the ubiquitous TCP stack, but you had to listen a lot closer to hear that they were doing this with an internal testing tool complete with a custom TCP stack of its own that played by no its own rules. You can’t really blame them; it made for a good story.
There’s no doubt this is interesting stuff, but protecting against the bleeding-edge of theoretically possible attacks isn’t what network security is about. It’s about dealing with the real-world threatscape, and that’s why the best network security companies focus their resources on protecting as many people as possible from the most likely attack vectors, rather than those that are technically feasible but highly unlikely. Independent labs that test IPS devices know it’s important to test for vulnerability to various evasion techniques, but they focus on those that are publicly or commercially available or known amongst the Internet community, not on those invented the day before by some lab-coated researcher with a homemade circuit board in one hand and a soldering iron in the other.
The news of these advanced evasion techniques broke dramatically, but with very little technical detail. Initial reports could have been written by some pulp fiction author who decided to try his hand at a cyber-thriller. I thought the whole thing came off a little like a ghost story about a headless horseman, perfectly timed for Halloween. But I suppose it’s still only fair to congratulate Stonesoft for their discovery of this latest line of “best-of-breed” evasion techniques that rely on custom protocol stacks and technology the likes of which has never been seen in the wild. It’s an interesting attempt to foster a reputation as a network security leader, but the companies making a real difference are the ones working diligently, day in and day out, to strike the optimal balance between security and connectivity in the face of the more than 150,000 known viruses, virus variants, Trojans, and other types of malicious code in circulation today that people in the real world are much more likely to bump into.
My favorite quote on the subject comes from Chris Wysopal, CTO at Veracode who’s quoted as saying, “It’s like they discovered some new buffer overflows and they’re acting as if they’ve discovered buffer overflows.”
SecureSlinger’s Feed
