To protect against attacks that try to evade security systems, the Panda GateDefender Integra IPS incorporates mechanisms that allow it to identify this type of activity and block it.
These mechanisms are implemented in the data pre-processing modules. One of the data pre-processing modules most widely used is data standardization.
When an attacker tries to evade an IPS, its main aim is to pass the malicious packets through the device, so that they reach the target without the IPS system detecting them as intrusion attempts. The methods used by these types of attacks are the following:
- Packet fragmentation. The attacker takes advantage of the different implementations of TCP/IP stack in different operating systems to fragment packets.
If a packet is too big, it can be divided into multiple fragments. This type of operation is known as fragmentation. Systems save the fragments they receive, wait until they have received all of the fragments and then reassemble them. Taking advantage of the different restore times of the fragmented packets, in some cases, an IPS system could withdraw the packet fragments when the target system is completing them. By doing this, an intruder could drop the attack in the IPS without it being identified.
- TTL-based methods (packet time-to-live). In order to carry out this type of attack, the intruder needs prior knowledge of the target subnet topology.
- Methods that exploit weak ‘string matching’ (widely-used in an IPS).
- Other methods that use standards and rules that are not so strict or explicit. To do this, intruders take advantage of different interpretations and/or implementations in different environments.
The Panda GateDefender Integra IPS is based on snort free code implemented in the pre-processors. These provide functionality to use the same parameters for packet defragging, TTL, etc. as the parameters configured in the recipients of the packets inspected, regardless of whether it is a single host a subnet. The technology used by snort is a mature technology, thanks to the contributions of developers and collaborators who take part in this project.