Unfortunately, even when it has not been taken over, an adaptive security management system is a weapon that can be turned against you. Suppose that a reactive behaviour against a network attack consists of reconfiguring a firewall such that it denies all traffic from the observed source. What if an attacker was able to spoof his address? If he finds out the behaviour of the firewall, he can deny a large portion of the legitimate traffic to the network by simply adopting a whole range of false addresses.
In order to prevent the protection mechanisms being fooled into reacting against legitimate use, one may prefer monitoring over blocking where acceptable. It makes sense to set up a ``honey pot'' and mislead the attacker, making him believe he actually got where he wanted to be4.2. Rather than reconfiguring the firewall, one could change a router's routing tables to point to a system that very much resembles an internal host or server, but with no sensitive data or services. This offers the advantage that evidence can be gathered about the attack by passively watching the attacker's moves.
The topology and protocols of the internal corporate network influence routing decisions, fragmentation of packets and tunneling issues. Intrusion detection systems that have access to the information ``on the wire'' only are notably vulnerable to two types of attacks: insertion and evasion [PTA98]. The basic idea is that systems being protected may be designed or configured so that they behave differently than the monitor. A stream of data may contain an attack signature that a host is vulnerable to but not the monitor, and vice versa. The analysing security engine should know about the network topology and about the way different operating systems handle various types of (incorrect) packets. It can then tell the monitor to specifically look for certain types of attack signatures.
Consider the following example of an insertion attack to demonstrate the importance of how a network and the ASMS are configured.
The following stream of data (4 packets) is sent to a host on the corporate network:
TTL | Payload | TTL | Payload | TTL | Payload | TTL | Payload |
15 | ``AT'' | 14 | ``NO'' | 15 | ``TA'' | 15 | ``CK'' |
TTL represents the time-to-live of the individual packet, i.e. the number of systems the packet can traverse before it is dropped (the counter is decremented at every hop and eventually becomes zero if the packet has been traveling for too long). We assume that the network monitor and the target host are configured in the same way and that they use a similar TCP/IP implementation that complies with the standards. In that case, if both the monitor and the target host are on the same network segment, they will both see the innocuous ``ATNOTACK''. Suppose however that the target machine is one hop further (on another segment), and an attacker manages to find this out, e.g. by using a simple tool like ``traceroute''. Now the monitor will still see the harmless string, the target machine however will see ``ATTACK'' as the second packet is dropped by an intermediate machine. The monitor -- and the analysis engine -- has been fooled by inserting the second packet. Evasion attacks work in a similar way, only they try to hide dangerous payload in such a way that it is filtered out by the end system, but not by the monitors (as a result from differing implementations for example).
The solutions can often be quite simple: it is suggested that various network monitors -- and safeguards -- be placed as close as possible to the resources they protect. Select software that complies with standards, set the MTU (maximum transfer unit, the largest possible size for a packet before it gets fragmented) to be the same on the various interfaces on the network to prevent additional fragmenting that hampers analysis, let the perimeter devices drop packets with TTL fields that cannot reach all machines within the network or let perimeter machines overwrite the fields. Use vulnerability scanners to find out about the software that is running on target machines.