Insertion/Evasion Attack Prevention - D-Link NetDefend DFL-210 User Manual

6.5.4. Insertion/Evasion Attack
Prevention
HTTP Normalization
Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to
choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in
incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can
exploit weaknesses in some HTTP server products.
The URI conditions which IDP can detect are:
• Invalid UTF8
This looks for any invalid UTF8 characters in a URI.
• Invalid hex encoding
A valid hex sequence is where a percentage sign is followed by two hexadecimal values to
represent a single byte of data. An invalid hex sequence would be percentage sign followed by
something which is not a valid hexadecimal value.
• Double encoding
This looks for any hex sequence which itself is encoded using other hex escape sequences. An
example would be the original sequence %2526 where %25 is then might be decoded by the
HTTP server to '%' and results in the sequence '%26'. This is then finally decoded to '&'.
Initial Packet Processing
The initial order of packet processing with IDP is as follows:
1. A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is
part of a new connection then it is checked against the IP rule set before being passed to the
IDP module. If the packet is part of an existing connection it is passed straight to the IDP
system. If the packet is not part of an existing connection or is rejected by the IP rule set then it
is dropped.
2. The source and destination information of the packet is compared to the set of IDP Rules
defined by the administrator. If a match is found, it is passed on to the next level of IDP
processing which is pattern matching, described in step below. If there is no match against an
IDP rule then the packet is accepted and the IDP system takes no further actions although
further actions defined in the IP rule set are applied such as address translation and logging.
Checking Dropped Packets
The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are
rejected by the IP rule set check for new connections, as well as packets that are not part of an
existing connection. This provides the firewall administrator with a way to detect any traffic that
appears to be an intrusion. With this option the only possible IDP Rule Action is logging. Caution
should of course be exercised with this option since the processing load can be much higher when
all data packets are checked.

6.5.4. Insertion/Evasion Attack Prevention

Overview
When defining an IDP Rule, the administrator can enable or disable the option Protect against
Insertion/Evasion attack. An Insertion/Evasion Attack is a form of attack which is specifically
281
Chapter 6. Security Mechanisms