On March 1, 2016, six vendors submitted their Data Center Intrusion Prevention (DCIPS) products to be tested for Security Effectiveness and Performance. Security effectiveness ranged from 23.2% to 99.9%. NSS Labs identified a number of security issues with the Hewlett Packard Enterprise (HPE) TippingPoint 7500NX v220.127.116.1152 device that consequently reduced its security effectiveness and caused the product to receive a “Caution” rating.
The first was an issue with the behavior of the state engine under load (Normal and Maximum Exceeded Loads). This evasion is executed by an attacker who sends an initial packet of a multi-packet exploit through a security device (which seen out of context of the rest of the exploit is not enough to say the packet is bad), then the attacker initiates a large number of concurrent connections, and lastly the attacker sends the rest of the packets to complete the exploit/ evasion. If state management is not handled properly, the device will remember state at the routing layer but lose track at the deep inspection layer resulting in attacks that “leak” past the intrusion prevention system.
In addition, there was a multi-layered evasion (IP Fragmentation + MSRPC Fragmentation). The evasion is executed by an attacker sending fragmented MSRPC packets in combination with fragmented IP packets through the device.
A few facts:
- DCIPS testing began on March 1, 2016
- NSS Labs identified a number of security issues with the HPE TippingPoint 7500NX v18.104.22.16852
- Trend Micro finalized the acquisition of TippingPoint from HPE on March 8, 2016.
- As the new owner of TippingPoint, Trend Micro was notified of the test results and quickly took action to resolve the issues.
- NSS Labs tested a new version of the product, TOS v22.214.171.12494, which resolves the security issues found in the HPE version of the product.
When notified of the issues, Trend Micro demonstrated a no nonsense, customer first attitude that should reassure TippingPoint clients. Results of the new version submitted by Trend Micro fixed the evasion issues identified in the previously tested HPE version of the product. Customers can download the NSS Labs Security Value Map (SVM) to see where Trend Micro would have landed in the SVM.