On March 1, 2016, six vendors submitted their Data Center Intrusion Prevention (DCIPS) products to be tested for Security Effectiveness and Performance. Security effectiveness ranged from 23.2% to 99.9%. NSS Labs identified a number of security issues with the Hewlett Packard Enterprise (HPE) TippingPoint 7500NX v22.214.171.12452 device that consequently reduced its security effectiveness and caused the product to receive a “Caution” rating.
The first was an issue with the behavior of the state engine under load (Normal and Maximum Exceeded Loads). This evasion is executed by an attacker who sends an initial packet of a multi-packet exploit through a security device (which seen out of context of the rest of the exploit is not enough to say the packet is bad), then the attacker initiates a large number of concurrent connections, and lastly the attacker sends the rest of the packets to complete the exploit/ evasion. If state management is not handled properly, the device will remember state at the routing layer but lose track at the deep inspection layer resulting in attacks that “leak” past the intrusion prevention system.
In addition, there was a multi-layered evasion (IP Fragmentation + MSRPC Fragmentation). The evasion is executed by an attacker sending fragmented MSRPC packets in combination with fragmented IP packets through the device.
A few facts:
When notified of the issues, Trend Micro demonstrated a no nonsense, customer first attitude that should reassure TippingPoint clients. Results of the new version submitted by Trend Micro fixed the evasion issues identified in the previously tested HPE version of the product. Customers can download the NSS Labs Security Value Map (SVM) to see where Trend Micro would have landed in the SVM.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.