Security Experts:

Stonesoft Pen Testing Tool Uses Advanced Evasion Techniques, Firm Says

Stonesoft released a new, free tool today to help organizations test their network security.

Dubbed Evader, the tool launches a set of attacks that use what the company refers to as "advanced evasion techniques" (AET) against a tester's own next generation firewall (NGFW), Intrusion Prevention System (IPS) and Unified Threat Management (UTM). The tool enables organizations to run a variety of AEs that hide well-known Microsoft Remote Procedure Call (MSRPC) and HTTP exploits and deliver them through network security devices to a vulnerable target host image.

Evader Pentesting ToolEvader includes a set of AETs that have gone through the CERT vulnerability coordination process that began two years ago, and is designed to analyze whether an organization is ready to deal with advanced evasion techniques targeting their own devices, according to the company. Among the evasions supported by the product are: IPv4 fragmentation, HTTP URL encoding and MSRPC request segmentation. 

"Network security solution vendors have not taken AETs seriously enough, and organizations are paying the price through data breaches that put companies, federal agencies and customers at risk," said Ilkka Hiidenheimo, founder and CEO of Stonesoft, in a statement. "Customers and the whole security community have been asking us to provide deeper knowledge about AETs and demanding products that test for them...By providing the tool for free, we're giving organizations the same level of knowledge that today's sophisticated hackers have and the ability to test their own environments for this risk."

Stonesoft is demonstrating Evader this week during the Black Hat security conference in Las Vegas, which ends July 26.

view counter