Check Point Response to Stonesoft IPS Evasion Techniques published on June 14, 2011
||R75, R71, R70
|Platform / Model
- Stonesoft Corporation reported a number of techniques for evading the IPS/IDS detection. This publication should not be confused with Stonesoft "Advanced Evasion Techniques" advisory (CVE-2010-0102) discussed in sk59468.
- Check Point has verified that all versions of the Check Point IPS blade properly block and report on these evasion techniques. Read the "Solution" section for details.
Stonesoft evasion techniques use a combination of TCP segmentation and MS-RPC fragmentation as well as manipulation of TCP window size and congestion control. For details refer to CERT-FI advisory (FICORA #487536).
No IPS update or patches are required.
Customers that use the recommended IPS profile in prevention mode are protected.
Customers that do not use the recommended profile, should verify that "MS-RPC over CIFS Fragmentation" protection in IPS is enabled.