Insertion/Evasion Attack Prevention - D-Link NetDefend DFL-210 User Manual

6.3.4. Insertion/Evasion Attack Pre-
vention
Rule Components
An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. An IDP Rule specifies a given combination source/destination interfaces/ad-
dresses as well as being associated with a Service object which defines which protocols to scan. A
time schedule can also be associated with an IDP Rule. Most importantly, an IDP Rule specifies the
Action to take on detecting an intrusion in the traffic targeted by the rule.
Initial Packet Processing
The initial order of packet processing with IDP is as follows:
1. A packet arrives at the firewall and NetDefendOS performs normal verification. If the packet is
part of a new connection then it is checked against the IP Rule-set before being passed to the
IDP module. If the packet is part of an existing connection it is passed straight to the IDP sys-
tem. If the packet is not part of an existing connection or is rejected by the IP rule-set then it is
dropped.
2. The source and destination information of the packet is compared to the set of IDP Rules
defined by the administrator. If a match is found, it is passed on to the next level of IDP pro-
cessing which is pattern matching, described in step below. If there is no match against an IDP
rule then the packet is accepted and the IDP system takes no further actions although further
actions defined in the IP rule-set are applied eg. address translation, logging.
Checking Dropped Packets
The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are
rejected by the IP Rule-set check for new connections, as well as packets that are not part of an ex-
isting connection. This provides the firewall administrator with a way to detect any traffic that ap-
pears to be an intrusion. With this option the only possible IDP Rule Action is logging. Caution
should of course be exercised with this option since the processing load can be much higher when
all data packets are checked.

6.3.4. Insertion/Evasion Attack Prevention

Overview
When defining an IDP Rule, the administrator has the option to enable or disable the ability to "Pro-
tect against Insertion/Evasion attack". Insertion/Evasion Attack is a form of attack which is specific-
ally aimed at IDP systems. It exploits the fact that in a TCP/IP data transfer, the data stream must of-
ten be reassembled from smaller pieces of data because the individual pieces either arrive in the
wrong order or are fragmented in some way. Insertions or Evasions are designed to exploit this reas-
sembly process.
Insertion Attacks
An Insertion attack consists of inserting data into a stream so that the resulting sequence of data
packets is accepted by the IDP subsystem but will be rejected by the targeted application. This res-
ults is two different streams of data.
As an example, consider a data stream broken up into 4 packets: p1, p2, p3 and p4. The attacker
might first send packets p1 and p4 to the targeted application. These will be held by both the IDP
subsystem and the application until packets p2 and p3 arrive so that reassembly can be done. The at-
tacker now deliberately sends two packets, p2' and p3', which will be rejected by the application but
accepted by the IDP system. The IDP system is now able to complete reassembly of the packets and
127
Chapter 6. Security Mechanisms