Cyberthreats Using Evasion Techniques: Achilles' Heel of the NGFW

Cyberthreats Using Evasion Techniques: Achilles' Heel of the NGFW

Enterprises have spent much of the past decade ramping up their security controls to protect against network security threats and cybercrime, and to satisfy compliance initiatives. Typically, it can take several months to gather detailed information on different next generation firewall (NGFW) products and their subsystems in order to make informed decisions. NSS’ group test results provide enterprise customers with key metrics that provide unique insights into the capabilities of different security solutions. 

NSS Labs recently completed its seventh iteration of the most comprehensive NGFW public group test in the security industry. Enterprises can leverage the data from these Test Reports to select products that match their requirements with regard to price, security effectiveness, performance, management, workflow, deployment architecture, and interoperability. Apart from security and performance metrics, our reports also provide visibility into the stability and reliability capabilities of the tested products. Our Comparative Reports reveal how tested products stack up against each other. Enterprises can use this information to define proof-of-concept criteria or make purchasing decisions to bolster existing network security controls (i.e., the “Get Secure” phase of the buyer’s journey).

The group test results revealed some interesting data; particularly concerning were the overall security efficacy and protection rates of almost all of the leading NGFW products. An NGFW must protect against exploits launched against vulnerable enterprise assets. Unfortunately, some products still are not able to detect and prevent against these threats, which means organizations are left vulnerable to attackers potentially gaining remote access to systems, executing arbitrary commands, and downloading and executing malicious payloads (e.g., ransomware, Trojans, etc.).

Probably the most important take-away from this year’s NGFW group test is the revelation that leading NGFW products are susceptible to cyberthreats that use evasion techniques. Such techniques essentially disguise and modify attacks at the point of delivery to avoid being detected and blocked by security products. If a security product does not correctly identify a specific type of evasion, this potentially allows an attacker to use an entire class of exploits to bypass protection. Many of the techniques used in the NGFW group test have been widely known for years and protection against these should be considered minimum requirements for an NGFW product. Some of the classes of evasions that were evaluated during this test include:

  • IP packet fragmentation 
  • Stream segmentation
  • RPC fragmentation
  • URL obfuscation
  • HTML obfuscation
  • Payload encoding
  • FTP evasion
  • HTTP evasion

The more evasion classes a product misses, the less effective it is as a security control. Furthermore, evasions operating at the lower layers of the network stack (e.g., IP packet fragmentation or stream segmentation) have more impact on security effectiveness because they target a greater number of vulnerabilities using a wider range of exploits than do those operating at the upper layers of the stack (e.g., HTTP or FTP obfuscation). Exploits operating at the higher layers of the stack use obfuscation, encoding, and other evasion techniques, which typically target the most commonly used enterprise applications and protocols. It is critical that enterprises understand the impact of evasions on security controls. To this end, NSS’ NGFW Security Value MapTM (SVM) graphic reflects the impact of evasions on the security products tested. Enterprises that are evaluating NGFW products should note that overall security effectiveness scores factors in both protection against exploits and protection against evasions. 

Along with referencing NSS’ group test results, NSS recommends that organizations also consider a product’s features, roadmap, stability, support criteria, the extent to which it can integrate with other security solutions, and its ROI. For more on the total cost of ownership (TCO) of NGFW products, please reference NSS’ NGFW Comparative Report on TCO. 

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Evasions, Next Generation Firewall, NGFW, security testing