###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Technical Paper Announcement February 9, 1997 Vulnerabilities in Network Intrusion Detection Software This posting is being released to announce a technical paper outlining vulnerabilities in commonly deployed "network-based" intrusion detection systems, including ISS RealSecure, AbirNet SessionWall-3, WheelGroup NetRanger, and Network Flight Recorder. Due to fundemental flaws in the manner by which these systems collect information, it is possible for an attacker to evade detection. Additionally, ID systems that provide "reactive" capabilities can be leveraged via spoofing attacks by an attacker to commit denial-of-service attacks against the networks they protect. This paper is available via our website in the following formats: - Executive Summary in Word Format http://www.securenetworks.com/papers/ids-simple.doc - Full Paper in HTML Format http://www.securenetworks.com/papers/ids-html/ - Full Paper in PostScript Format http://www.securenetworks.com/papers/IDS.PS - Full Paper in PDF Format http://www.securenetworks.com/papers/IDS.PDF - A press release for this paper is available at: http://www.securenetworks.com/news/press.html Tested Systems: ~~~~~~~~~~~~~~~ We tested ISS RealSecure version 1.0.97.224 for Windows NT. We tested WheelGroup Corporation's NetRanger product in version 1.2.2. We tested the most recent evaluation release of AbirNet SessionWall-3, version 1, release 2, build v1.2.0.26 for Windows NT. We tested Network Flight Recorder's NFR version 1.5. NFR is not specifically a network intrusion detection system, and our results apply only to NFR when used as an engine for network ID. All tested systems were vulnerable to problems that would allow a remote attacker to launch undetected attacks against networks protected by these intrusion detection systems. Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sniat_private> Secure Networks <securityat_private> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1998 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.securenetworks.com/pub/papers and advisories at ftp://ftp.securenetworks.com/advisories You can browse our web site at http://www.securenetworks.com You can subscribe to our security advisory mailing list by sending mail to majordomoat_private with the line "subscribe sni-advisories" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCUAwUBNJgc67gIhFKeVQANAQFP3QP4olaaL2eWY+H9iZkPv/p+JikfR75mtOmI jXYcv4bgg9lYu3TFS/QoA91b8TYIcLyfTFWiAtEbTNAIvi76ofw9SFwP4J7YRqSf eQzrQXbyqW4WYJtk3pRm7aGQ3+X6o3Erq3anUJ8pJyE4e5A7qmYZKp9vSECHmoPV I1ys8i7zvg== =MFnD -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:13 PDT