COMMAND

    Network Intrusion Detection Software

SYSTEMS AFFECTED

    munices/NT

PROBLEM

    Following  info  is  based  on  Secure  Networks #24 advisory that
    covers  vulnerabilities  in  Network  Intrusion Detection Software
    including  ISS  RealSecure,   AbirNet  SessionWall-3,   WheelGroup
    NetRanger, and Network Flight Recorder.  Due to fundemental  flaws
    in the manner  by which these  systems collect information,  it is
    possible for  an attacker  to evade  detection.   Additionally, ID
    systems that provide "reactive" capabilities can be leveraged  via
    spoofing  attacks  by  an  attacker  to  commit  denial-of-service
    attacks  against  the  networks  they  protect.   This  paper   is
    available via our website in the following formats:

    Executive Summary in Word Format
        http://www.securenetworks.com/papers/ids-simple.doc

    Full Paper in HTML Format

        http://www.securenetworks.com/papers/ids-html/

    Full Paper in PostScript Format

        http://www.securenetworks.com/papers/IDS.PS

    Full Paper in PDF Format

        http://www.securenetworks.com/papers/IDS.PDF

    A press release for this paper is available at:

        http://www.securenetworks.com/news/press.html

   Tested Systems:

    - ISS RealSecure v1.0.97.224 for Windows NT.
    - WheelGroup Corporation's NetRanger product v1.2.2.
    - recent evaluation release  of AbirNet SessionWall-3, version  1,
      release 2, build v1.2.0.26 for Windows NT.
    - Network Flight Recorder's NFR v1.5.

    NFR is not specifically a network intrusion detection system,  and
    our results apply only to NFR  when used as an engine for  network
    ID.

    All tested systems were vulnerable to problems that would allow  a
    remote  attacker  to  launch  undetected  attacks against networks
    protected by these intrusion detection systems.

SOLUTION

    Consult papers mentioned above.