Firewall Wizards mailing list archives

WheelGroup response to SNI paper

From: "George M. Jones" <gjones () CompuServe NET>
Date: Fri, 27 Feb 1998 10:21:37 -0500 (EST)

I received a paper from WheelGroup responding to the SecureNetworks
paper.  I thought I might be of interest to this list.  It is included
below, both in text form and in RTF form as an attachment.  Since it's 
not on their web site, I did ask permission before forwarding.  I would
have hoped that they would have posted this themselves when the discussion
on IDS weaknesses began.  If you're (WGC) listing, I would hope you're 
willing to defend your position publicly.

George Jones, Internet Security Engineer, CompuServe Network Services
Email: George.Jones () CompuServe NET, Voice: +1 614 723-4560
Snail Mail: 5000 Britton Rd., PO BOX 5000, Hilliard, Ohio 43026-5000 USA
PGP: 1024/8C1CEFC9 Fingerprint 20 79 AE 12 D0 8C 44 8F C5 37 2B 40 EA F5 C3 35


-----------------------------cut here--------------------------------------
                  WheelGroups Response to the SNI Report

   "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
                                 Detection"

                                     By

                                Scott Olson

                              Product Manager

                           WheelGroup Corporation

                             February 12, 1998



The authors of the recently published SNI paper, Insertion, Evasion, and
Denial of Service: Eluding Network Intrusion Detection voiced numerous
opinions about the validity of intrusion detection (ID) technologies and
performed tests to highlight some of their concerns. The authors testing
methodologies focused on attacking and trying to circumvent intrusion
detection systems (IDS) that were not complemented by any supplementary
security systems.

Examination of the security and robustness of ID technology is certainly a
worthwhile exercise. However, the test results would have been stronger if
the authors had addressed real-world ID implementations in their study. The
fact that the authors did examine these technologies actually legitimizes
intrusion detection as a viable new technology and as a unique market
segment within information security.

Contrary to the implication in the SNI paper that NetRanger cannot provide
adequate network security, WheelGroup Corporation (WGC) has never claimed
that NetRanger should be the sole source of protection for a network. WGC
completely agrees with the first sentence in section 1.4 that states,
"Because of its importance within a security system, it is critical that
intrusion detection systems function as expected by the organizations
deploying them." The keyword in that sentence is system and that agrees
with WGCs positioning of NetRanger as a complementary security device to
supplement existing technologies. Any robust security architecture
comprises a combination of security techniques and an operational approach
to maintaining a secured network. Efforts to produce 100% secured machines
have resulted in products that are unusable and particularly expensive.
Therefore, the best fortified networks combine the strongest features of
multiple technologies. This minimizes the threat relative to the importance
of the data they are protecting.

WGC terms the process by which a corporation can maintain its security as
the "Vulnerability Management Process," which is signified by the "Security
Wheel." In this process, an organization begins with a security policy,
implements security products such as firewalls and encryption devices,
monitors the network, tests the network, and finally uses the data that is
collected to improve and manage the network according to the relative
threat level. When ID technology is used this way, it can prove to be
extremely valuable because it quantifies and reduces the levels of attacks
on crucial network resources. This process is illustrated in Figure 1.

                                  [Image]

                                   Figure 1WGCs Security Wheel

WGC recently published an analysis of Internet attacks entitled ProWatch
Secure Network Security Survey(May-September 1997), which describes
attacks that took place at NetRanger-monitored customer sites. This paper
clearly demonstrates the value of an IDS in a real-world environment. This
paper can be downloaded from WGCs Web site at
http://www.wheelgroup.com/netrangr/PWS_survey.html.

The SNI paper also notes that for an IDS to be useful and effective, it
must detect 100% of attacks 100% of the time. This is certainly an
admirable goal and WGC strives to meet it as often as possible. However,
achieving this level of perfection is a challenge in all areas, including
technology. As a result, the ability of an IDS to meet those numbers
without severely interfering with network traffic is minimal. Part of SNIs
misconception stems from a lack of understanding of ID technology in
comparison with more common technologies like firewalls. IDSs significantly
strengthen network security because their design is based on the types of
attacks that are successful.

Attacks can be grouped loosely into one of several categories:

   * Reconnaissance (network mapping)
   * Initial Access Attacks
   * Privilege Escalation Attacks
   * Exploitation of Trusted Relationships
   * Denial of Service Attacks

Not every hacker will execute every one of these types of attacks. But they
would generally use attacks from multiple categories in order to gain
successful unauthorized access to a network. If the IDS detects any part of
the attack process, it has done its job because it has alerted
administrators that an attack is in progress. SNIs assertion in section
9.1 that "as soon as an IDS records a successful attack on the network,
administrators should assume that all bets are off, and further attacks are
occurring without the knowledge of the IDS," is false. An IDS primary
responsibility is to indicate that an attack is in progress and to provide
some means for responding to that attack. NetRanger for example, begins to
record 100% of the traffic associated with the attacking machine as soon as
an attack is detected. This allows users to meticulously reconstruct the
incident and correct problems created by the attack. NetRanger continues to
monitor all network traffic for attacks even after a "successful" attack,
and will still capture information about further misuse, either from the
same or a different source of attack.

Another incorrect assertion in section 9.1 is that "an attacker that
successfully breaks into an IDS-protected network probably controls the
IDS." NetRanger was designed such that the interface capturing network
traffic does not have an IP address and cannot be attacked. Remote
management is performed via a separate interface that can be isolated on a
private command and control network. Additionally, the NetRanger
installation process tightens up the operating system so that all
unnecessary services are removed, which provides further protection against
attacks.

SNI is correct in stating that it is important to build IDSs that are
resistant to false positives and, more importantly, false negatives to the
greatest extent possible while at the same time maintaining a useable
system with minimal network performance ramifications. From its inception,
NetRanger was designed to consider a variety of circumvention techniques
that may be used to bypass its security. As a result, NetRanger considers
not only the circumvention techniques discussed in the SNI paper, but also
goes well beyond the cursory analysis described in the SNI paper by
providing robust communications between all components to deliver such
features as guaranteed delivery of alarms, redundant alarm systems,
multiple routes for fault tolerance, and many others. The remainder of this
paper will specifically address SNIs claims and the legitimacy of ID as a
security technology. In order to address each of the authors arguments,
this paper will be organized according to the structure of the SNI paper.



Problems with Network ID Systems

SNI focuses on two main issues in this section:

   * The capture of data "on the wire"This is an IDS ability to
     accurately capture all network traffic and to accurately determine
     which packets may or may not be discarded on the network. This is one
     of the greatest challenges facing IDSs and is one in which the
     NetRanger development team has spent significant time. The SNI paper
     omitted the fact that NetRanger is one of the only systems tested that
     records and analyzes all network traffic and not simply a subset of
     it. Some IDSs are sold on concurrent connection licenses and only
     monitor a fixed number of open sessions. On a loaded network, this
     type of system will ignore sessions that exceed this fixed threshold.
     NetRanger monitors all traffic and inserts intelligence as to which
     packets are legitimate. With respect to bad checksums, NetRanger will
     have the option to discard them with the release of version 3.0 due
     out this summer.
   * The vulnerability of IDSs to denial of service attacksNetRanger
     detects and generates alarms on the denial of service attacks
     mentioned ("ping floods", "ping of death", and "teardrop" attacks).
     But NetRanger is also hardened against these types of attacks because
     it makes changes to the operating system to protect itself. The same
     cannot be said of software-only solutions that run on Windows® NT®
     platforms. Windows NT systems are notoriously vulnerable to these
     types of attacks and fall prey to the situations that SNI mentions.
     Additionally, NetRanger generates alarms at the Director whenever it
     loses communications with a remote Sensor. Therefore, in the unlikely
     instance that a Sensor was crashed either through a denial of service
     attack, through a hardware failure, or if the Sensor were simply
     unplugged, the NetRanger operator would be notified that
     communications were down and that immediate attention was required.

Attacks & Network-Layer Problems

In section 4 of the SNI paper, the authors list various methods by which
attackers can circumvent an IDS and discuss how these attack methodologies
can be implemented by taking advantage of network-layer problems. SNI terms
these methods insertion and evasion attacks. All of these attacks are
highly sophisticated and would require numerous specialized tools to
execute in a real-world situation:

   * using bad header fields
   * changing IP options on a packet to create an invalid packet
   * using false MAC addresses
   * using IP fragmentation
   * using IP spoofing.

The authors of the SNI paper note that bad header fields can "trick" the
IDS into accepting packets that the targeted system would reject. The most
valid form of this attack is by changing the checksum; NetRanger will
discard these types of packets with the release of version 3.0. This type
of attack, however, can easily be prevented by configuring the router or
firewall to reject packets with improper checksums and would be the most
effective means to counter the attack. Other attacks of this sort are
simply impractical in a real-world environment.

Changing the IP options on a packet to create an invalid packet is another
method to circumvent an IDS as mentioned in the SNI paper. NetRanger can
alarm on any IP option, and typically any securely configured network would
not allow IP options to be accepted and passed across the network. Blocking
of packets with IP options set can easily be accomplished with a firewall
or by appropriately setting router filters.

An IDS can also be circumvented if the attacker uses false MAC addresses.
The authors first example of addressing a packet only to the IDS is not
valid in the case of NetRanger, which is a passive interface without an IP
address. Therefore its MAC address would not be known to the other systems
on the network. Their second example of sending a packet with a legitimate
IP address and a false MAC address is plausible in theory. However, in
practice, it is not likely to happen. This type of attack would always have
to originate from the same network segment as the IDS and could not be
executed remotely.

The fourth example the authors use as a method of circumventing an IDS is
IP fragmentation. This topic has been the subject of many security forums
lately because IP fragmentation can be used to generate denial of service
attacks and can cause end systems to behave improperly. The current version
of NetRanger would detect all of the types of IP fragmentation tests that
SNI describes in their paper and would generate an IP fragmentation alarm
that corresponds to that attack. In addition, IP fragmentation is easily
stopped on network perimeters by setting configurations in routers and
firewalls.

SNIs final example deals with IP spoofing and its implications on UDP and
TCP services. IP spoofing is also something that is easily prevented by
perimeter firewalls and routers with an appropriate security configuration.
Spoofing is also only good for sending one-way attacks and not for
establishing an interactive session because the return packet to the
spoofed address cannot be properly routed to the attacker.

Attacks & TCP Transport-Layer Problems

The authors of the SNI paper describe in section 5 how insertion and
evasion attacks can be implemented by taking advantage of transport-layer
problems. Most of this revolves around the complicated issue of how an IDS
deals with the establishment and subsequent tearing down of TCP
connections. SNI labels the implementation of tracking a single connection
as a "TCP control block" or "TCB." NetRanger deals with independent TCP
connections and tracks the resets of each of these connections
independently. A unique TCP connection is identified by the following
items: source IP address, source TCP Port, destination IP address,
destination TCP port, and time. Because there is no perfect way to
implement TCP-connection tracking without completely overloading the
sensing system, NetRanger was designed to cover and track traffic with the
least possibility of circumvention of security. NetRanger is currently
being designed such that various tradeoffs will be user-configurable at
runtime to allow the greatest flexibility in the NetRanger configuration.

Section 5 of the SNI paper focuses on problems that a hacker can create
with TCB creation, TCP reassembly, and TCB tear down. The first problem
they focus on is TCB creation. They outline three ways that an ID system
can choose to determine an active TCP session. The first two require either
a complete three-way handshake (3WH) or a partial 3WH. These methods have
inherent problems because if any one of the packets establishing the
connection is missed, the ID system will no longer monitor the remainder of
that session. This is especially a problem on heavily loaded networks.
NetRanger does not require the 3WH for monitoring data, and therefore, this
argument does not apply. SNI also mentions that the attacker could create a
false attack that does not correspond to any open session. In WheelGroups
estimation, a deliberate insertion of attack data, even to a non-existent
connection, should be considered an attack, or at the very least a possible
failed attack attempt, and should be alarmed on.

The next issue addressed in Section 5 of the paper is TCP Stream
Reassembly. The first problem highlighted by SNI affects ID systems that do
not use sequence numbers for reassembly. NetRanger is not affected by these
problems because it does remember sequence numbers. Most of the issues
identified by SNI that affect NetRanger deal with overlapping packets
within the TCP stream. NetRanger will address these types of situations
properly with V3.0, however some of these will be user options since they
result in significant trade-offs with stream assembly and intrusion
detection performance.

The final issue addressed in Section 5 of the paper is TCB tear down. This
is the point at which NetRanger ceases monitoring a session because it has
detected an RST or FIN message indicating the termination of the TCP
session. NetRanger is not affected by these problems because it
continuously monitors sessions based on data synchronization and not based
on the establishment and tear down of independent TCP sessions.

Denial of Service

Section 6 of the SNI paper deals with denial of service attacks and how
they can affect IDSs. They focus on two primary areas; resource exhaustion
and the abuse of reactive IDSs. As mentioned before, NetRanger is the only
IDS to configure the host operating system in order to optimize performance
and security. Most of the resource exhaustion issues deal with overwhelming
the IDS with packets and useless information. NetRanger was designed such
that it will not fail under such conditions, unlike many IDSs that are
hosted on base configuration NT hosts. NetRanger is a scalable system that
has proven to be capable of watching up to 85Mbps of traffic without any
packet loss. Many of the techniques which would be used to choke the IDS
would generate alarms of their own, thus rendering the attacker visible to
the person monitoring the network and defeating the purpose of overloading
the IDS itself. SNI consistently misses the primary philosophy behind
effective intrusion detection: to catch an attack, and not to catch every
single detailed event on the network.

The second issue raised in Section 6 of the paper deals with the misuse of
reactive IDSs. NetRanger possesses built-in protection against this type of
denial of service attacks, and can be configured such that it would never
shun legitimate hosts or networks. Additionally, NetRanger can be
configured such that all automated response is eliminated and the user can
simply have a manual mechanism for terminating a session and erecting
permanent barriers to traffic from the attacking site. Again, in this
instance the IDS would serve its primary purpose of indicating an attack
where previously no such knowledge would be possible.

Testing Methodology

Section 7 of the SNI paper enumerates the different tests run against the
IDSs. These tests can be categorized into several major groups. The first
seven (frag-1 to frag-7) test use fragmentation in order to bypass the IDS.
For each of these attacks, the current version of NetRanger would have
generated a fragmentation alarm for the type of traffic that they
generated. Even more sophisticated IP Fragment processing will be available
in V3.0 of NetRanger.

The next nine tests (tcp-1 to tcp-9) deal with TCP transport-layer attacks
and are generally handled well by NetRanger. NetRanger is currently in the
process of being redesigned to handle these types of attacks with a greater
degree of assurance.

The next three tests (tcbc-1 to tcbc-3) deal with TCB construction and are
discussed in paragraph two of the Attack & TCP Transport-Layer Problems
section of this paper.

The next two tests (tcbt-1 to tcbt-2) deal with TCB tear down and would be
handled properly by NetRanger as described in paragraph four of the Attack
& TCP Transport-Layer Problems section of this paper.

The next three tests (insert-1 to insert-3) deal with a variety of
insertion attacks. All three of these attacks will be properly handled in
V3.0 of NetRanger including checksum verification and the requirement for
ACK flags set on legitimate TCP data packets.

The final test (evade-1) uses the technique of storing data in the SYN
packet. NetRanger 3.0 will properly handle this type of attack.



Conclusion

As with any new technology that comes to market, questions will be raised
about its validity as well as its capability to provide reliable results.
Intrusion detection is an important technology that complements existing
security products to provide stronger security to internetworks. Many of
the issues that were raised in the SNI paper are legitimate and will serve
to strengthen IDSs as the technology matures. As mentioned previously,
analyses of this type helps to legitimize the need for ID technology and
endorses the value that ID can bring to an organization.

The major flaw with the SNI paper is its failure to examine how IDSs fit
within security architectures and how they function properly in real-world
environments. An IDS adds significant value by detecting and providing a
response mechanism against the vast majority of attacks that are being used
today. These attacks typically take place over wide-area networks and
consist of multiple steps in order for the hacker to realize significant
gain.

Organizations should not be concerned about a hacker who may be able to
execute one attack that evades IDS detection. A much greater concern should
be the external or internal hacker who has defined objectives and makes his
way throughout important networks to steal critical information or disrupt
business activity. IDSs are extremely useful in aiding in the detection and
prevention of these types of attacks. WheelGroup Corporation has designed
its market-leading NetRanger intrusion detection system to address these
risks, and we will continue to improve NetRanger as the hacking threat
evolves.

{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 
02020603050405020304}Times New Roman;}{\f1\fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}

{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f16\froman\fcharset0\fprq2{\*\panose 
02040602050305020304}Palatino{\*\falt Times New 
Roman};}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;

\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;

\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright \fs20\cgrid \snext0 
Normal;}{\s1\sb240\sa240\keepn\nowidctlpar\widctlpar\adjustright \b\f1\fs28\kerning28\cgrid \sbasedon0 \snext0 heading 
1;}{\*\cs10 

\additive Default Paragraph Font;}{\s15\qc\nowidctlpar\widctlpar\adjustright \b\cgrid \sbasedon0 \snext15 
Title;}{\s16\qc\nowidctlpar\widctlpar\adjustright \b\fs26\cgrid \sbasedon0 \snext16 
Subtitle;}{\s17\sa240\nowidctlpar\widctlpar\adjustright 

\fs20\cgrid \sbasedon0 \snext17 Body Text;}{\s18\nowidctlpar\widctlpar\adjustright \b\fs20\cgrid \sbasedon0 \snext0 
caption;}{\*\cs19 \additive \ul\cf2 \sbasedon10 
Hyperlink;}}{\*\listtable{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23

\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 
\fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid408506385}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0

\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 
\fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid542837567}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0

\levelstartat1\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 
\fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1002123238}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1

\levelspace0\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1326856236}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0

\levelindent0{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1450855875}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0

{\leveltext\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1785806739}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext

\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1893735430}{\list\listtemplateid67698689\listsimple{\listlevel\levelnfc23\leveljc0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext

\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li360\jclisttab\tx360 }{\listname 
;}\listid1911454557}}{\*\listoverridetable{\listoverride\listid1002123238\listoverridecount0\ls1}{\listoverride\listid1450855875\listoverridecount0\ls2}

{\listoverride\listid1893735430\listoverridecount0\ls3}{\listoverride\listid1326856236\listoverridecount0\ls4}{\listoverride\listid542837567\listoverridecount0\ls5}{\listoverride\listid408506385\listoverridecount0\ls6}{\listoverride\listid1911454557

\listoverridecount0\ls7}{\listoverride\listid1785806739\listoverridecount0\ls8}}{\info{\title WheelGroup\'92s Response 
to the SNI Report }{\author Scott Olson}{\operator Fred J. Mangum}{\creatim\yr1998\mo2\dy23\hr17\min13}

{\revtim\yr1998\mo2\dy23\hr17\min13}{\printim\yr1998\mo2\dy13\hr15\min19}{\version2}{\edmins2}{\nofpages6}{\nofwords2892}{\nofchars16486}{\*\company
  }{\nofcharsws20245}{\vern71}}\margl1440\margr1440\margb1080 

\widowctrl\ftnbj\aenddoc\formshade\viewkind1\viewscale110\pgbrdrhead\pgbrdrfoot \fet0\sectd 
\linex0\endnhere\sectdefaultcl {\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta 
.}}{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta .}}

{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta 
)}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta 
)}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}

{\pntxta )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta 
)}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta 
)}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}\pard\plain 

\s15\qc\nowidctlpar\widctlpar\adjustright \b\cgrid {\fs32 WheelGroup\rquote s Response to the SNI Report}{\fs28 

\par }\pard\plain \s16\qc\nowidctlpar\widctlpar\adjustright \b\fs26\cgrid {\ldblquote }{\fs20 Insertion, Evasion, and 
Denial of Service: Eluding Network Intrusion Detection\rdblquote }{

\par 

\par }{\b0\fs20 By

\par }{\b0\fs24 Scott Olson

\par }{\b0\fs20 Product Manager

\par WheelGroup Corporation

\par February 12, 1998

\par }\pard\plain \nowidctlpar\widctlpar\adjustright \fs20\cgrid {

\par 

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {The authors of the recently published SNI 
paper, }{\i Insertion, Evasion, and Denial of Service:  Eluding Network Intrusion Detection}{

 voiced numerous opinions about the validity of intrusion detection (ID) technologies and performed tests to highlight 
some of their concerns. The authors\rquote  testing methodologies focused on

 attacking and trying to circumvent intrusion detection systems (IDS) that were not complemented by any supplementary 
security systems. 

\par Examination of the security and robustness of ID technology is certainly a worthwhile exercise. However, the test 
results would have been stronger if the authors had addressed real-world ID implementations in their study. The fact 
that the authors }{\i 

did}{ examine these technologies actually legitimizes intrusion detection as a viable new technology and as a unique 
market segment within information security.

\par Contrary to the implication in the SNI paper that NetRanger cannot provide adequate network security, WheelGroup 
Corporation (WGC) has never claimed that NetRanger should be the sole source of protection for a network. WGC c

ompletely agrees with the first sentence in section 1.4 that states, \ldblquote Because of its importance within a 
security }{\b\i system}{, it is critical that intrusion detection systems function as expected by the organizations 
deploying them.

\rdblquote  The keyword in that sentence is }{\b\i system}{ and that agrees with WGC\rquote 

s positioning of NetRanger as a complementary security device to supplement existing technologies. Any robust security 
architecture comprises a combination of security techniques and an operational approach to maintaini

ng a secured network. Efforts to produce 100% secured machines have resulted in products that are unusable and 
particularly expensive. Therefore, the best fortified networks combine the strongest features of multiple technologies. 
This minimizes the threa

t relative to the importance of the data they are protecting. 

\par WGC terms the process by which a corporation can maintain its security as the \ldblquote Vulnerability Management 
Process,\rdblquote  which is signified by the \ldblquote Security Wheel.\rdblquote  In this process, an organization beg

ins with a security policy, implements security products such as firewalls and encryption devices, monitors the 
network, tests the network, and finally uses the data that is collected to improve and manage the network according to 
the relative threat leve

l. When ID technology is used this way, it can prove to be extremely valuable because it quantifies and reduces the 
levels of attacks on crucial network resources. This process is illustrated in Figure 1.

\par }\pard\plain \qc\nowidctlpar\widctlpar\adjustright \fs20\cgrid {\pard\plain \qc\nowidctlpar\widctlpar\adjustright 
\fs20\cgrid {\object\objemb\objw7832\objh4232\objscalex59\objscaley55{\*\objclass Word.Picture.8}{\*\objdata 
01050000020000000f000000

576f72642e506963747572652e3800000000000000000000680000

d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000001800000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

fffffffffffffffffdffffff1a000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000e0000000f0000001000000011000000120000001300000014000000150000001600000017000000fefffffffefffffffefffffffeffffff1c0000001d0000001e00

00001f000000200000002100000022000000feffffff2400000025000000260000002700000028000000290000002a000000feffffff2c0000002d0000002e0000002f000000300000003100000032000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000709020000000000c000000000000046000000000000000000000000e0d0

af99b040bd0119000000c00000000000000031005400610062006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e000201ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000

0000000000000000020000009a2b000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000ffffffff0000000000000000000000000000000000000000000000000000

0000000000000000000000000000680000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000

00000000000000000000000002000000040000000000000012000f000a0001005b000f00020000000000000024000040f1ff02002400000006004e006f0072006d0061006c0000000200000004006d4809040000000000000000000000000000000000003c004140f2ffa1003c0000001600440065006600610075006c00

74002000500061007200610067007200610070006800200046006f006e00740000000000000000000000000000000000040000000f00000019000000210000002c0000003a00000047000000500000005d0000006a0000008700000001000000000000000000ffffffff070400000000000001000000000000000000ffff

ffff080400000000000001000000000000000000ffffffff090400000000000001000000000000000000ffffffff0a0400000000000001000000000000000000ffffffff100400000000000001000000000000000000ffffffff120400000000000001000000000000000000ffffffff1304000000000000010000000000

00000000ffffffff150400000000000001000000000000000000ffffffff170400000000000001000000000000000000ffffffff1804000000000000ffffffff00000000000000000000000000000000000000000000040000000f00000019000000210000002c0000003a00000047000000500000005d0000006a000000

6d000000000000000000010000000000020000000000030000000000040000000000050000000000060000000000070000000000080000000000090000000000ffff0000000000000000870000000900000c00000700ffffffff010000000420ffff01000000000000000000870000000000000000000004000087040000

030000000004000087040000040000000004000086040000050000000f0000f06c000000000006f0180000002904000002000000280000000100000001000000290000001f0001f02c000000320007f0240000000304c3a1d385268bf82b370ca8797f162265ff00210b000000000000ffffffff0000000040001ef11000

0000ffff00000000ff0080808000f7000010000f0002f038220000100008f00800000027000000280400000f0003f0d62100000f0004f028000000010009f01000000022f8010000000000352500000000000002000af00800000000040000050000000f0004f0aa00000002000af00800000003040000000a0000b3000b

f07a0000004201840c00004301c40c000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff2c00000000002900580cc40c840c9a0c2c0000000c0010000200004000ac010000ac010000ac010000ac010000ac016000

80000010f00400000019000000000011f004000000010000000f0004f0aa00000002000af00800000004040000000a0000b3000bf07a0000004201840c00004301c40c000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff0110001800050005

00f0ff840c2900580c000000009a0c2c00c40c840c29000c0010000200004000ac010000ac010000ac010000ac010000ac01600080000010f00400000018000000000011f004000000010000000f0004f04200000032000af00800000005040000000a000033000bf0120000008101ffff0000bf0110001000ff01080008

00000010f00400000017000000000011f004000000010000000f0004f03c00000012000af00800000006040000000a000023000bf00c000000bf0100001000ff0100000800000010f00400000016000000000011f004000000010000000f0004f07200000012000af00800000007040000000a000093000bf03600000080

0000000100810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000015000000000011f0040000000100000000000df004000000000001000f0004f07200000012000af00800000008040000000a000093000bf0360000008000000002

00810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000014000000000011f0040000000100000000000df004000000000002000f0004f07200000012000af00800000009040000000a000093000bf036000000800000000300810000

000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000013000000000011f0040000000100000000000df004000000000003000f0004f07200000012000af0080000000a040000000a000093000bf03600000080000000040081000000000082

0000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000012000000000011f0040000000100000000000df004000000000004000f0004f05a04000002000af0080000000b040000000a0000b3000bf02a0400004201f00600004301030200004401040000

0045c1ec01000046c1f60100007f010100010080010000000081010066cc008301ffffff00bf0110001000ff01100018007b007b00f0ff00004901830003029100f701a000ea01b400d901c700cc01da00bf01e900b401fe00a7010f019b0124018e01360185014d017a0162016e017101670182015f0197015601a9014d

01bc014501d1013e01e0013801ef013001080229011e0221013c021a0159020f017502090191020001b502fc00cd02f800e802f4000603f1002603ef004803eb006603eb008803eb00aa03eb00cc03ef00ea03f1000604f6002304f8004304fc006104050179040b0197041201b4041a01d4042301f2042d011005380130

0547014e0554016a05610187057001a5058301bd059401db05a701b005ec01f006d9018706a0005d06e0003c06cb001a06b600fb05a600da059500bf058400a105770083056b0067055e004a0555002c05480007053b00e6043300c8042c00ac04220088041b006604150046040f0026040d0002040800e1030600c10302

00a20300008203000062030000460302002003060002030600de020c00c0020f00a20211008402190068021e004802240026022f000d023500ed014000d1014800b301530091015e0077016900560175003e01820024018b001501930000019c00f500a000e700a900d800b300c700be00ba00c700ab00cf009e00d6008d

00de007e00e7006d00f4005c00fe004f0009014100120132001c0125002901160032010b003a0100004901f800fc000200004000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01600080000010f00400000011000000000011f004000000010000000f0004f05a04000002000af0080000000c040000000a0000b3000bf02a0400004201f701000043011507000044010400000045c1ec01000046c1f60100

007f010100010080010000000081010066cc008301ffffff00bf0110001000ff01100018007b007b00f0ffb400000000008500090094001600a3002700b8003400cc004100df004b00ee0058000501630015016f002a0178003d01830055018f006a01960079019e008a01a7009e01af00b101b800c601be00db01c500ea

01cb00fa01d3001102da002902e2004902ed006502f1008202fa00a002fe00c3020401dc020701f602090116030b0138030f0159030f0179030f0199030f01bd030b01df030901ff0305011d0402013904fe005904f6007704ef009104e900b104e000cd04d800ed04cf000b05c5002b05b6004b05a90069059c0087058d

00a3057a00c3056900db055800fb051400ce05270015075801aa061a017f062f015d0642013b0653011b066401f9057301dd058001bf058b019f0598018305a2016705af014705bc012205c2010205cb01e204d301c404da01a004e0017e04e6015e04e8013d04ed011704ef01f503f301d503f501b503f7019603f50176

03f3015803ef013203ef011203e901ee02e601cf02e401b102dc019202d8017402d1015302c8013102c0011802b701f701af01db01a401bc0198019b018d017f0182015d01760144016d012a01660119015c0106015801f9004f01ec004701dd003c01cc003301bf002b01ae002401a1001c0190001301810007017000fc

005d00f3005000e9004100e0003200d3002500c9001600c2000b00b4000000f800fc000200004000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac01600080000010f00400000010000000000011f004000000010000000f0004f05a04000002000af0080000000d040000000a0000b3000bf02a0400004201f106000043010302000044010400000045c1ec01000046c1f60100007f01010001008001000000

0081010066cc008301ffffff00bf0110001000ff01100018007b007b00f0fff106b8006c0600005e060a004f0617003b062800280635001506420006064d00f1055a00e0056600cb057300b8057c00a20587008d0593007e059a006d05a2005805ab004605b4003305bc001e05c3000f05c9000005d100e704d800d104e0

00b304e7009604f2007a04f8005e0401013a0405012104090107040d01e9031001c9031201a70316018903160167031601450316012303120105031001e9020b01cc020901ac0205018e02fc007602f6005802ef003b02e7001b02de00fd01d400df01c900bf01ba00a101ad008501a000680191004a017e0032016d0014

015a003f011500000028006800610192002101b3003601d5004b01f3005b0115016c0130017d014e018a016c0196018801a301a501ac01c301b901e801c6010802ce012702d5014302df016702e6018902ec01a902f201c902f401ec02f9010e03fb012e03ff014d0301026d0303028d030102a903ff01cf03fb01ed03fb

011104f5012f04f2014d04f0016b04e8018704e301a704dd01c904d201e204cc010205c1011e05b9013c05ae015e05a3017805980198058c01b1057f01cb057601da056e01ef056501fa0561010806580117064e012806430135063a014406320151062b016206230171061a0182060d0193060301a006f800ad06ef00bd

06e500ca06d800d906cf00e406c700f106b800f800fc000200004000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac01600080000010f0040000000f000000000011f004000000010000000f0004f05a04000002000af0080000000e040000000a0000b3000bf02a0400004201fb01000043011907000044010400000045c1ec01000046c1f60100007f010100010080010000000081010066cc008301ffffff

00bf0110001000ff01100018007b007b00f0ff42011907fb019206f0018306e3017206d2015f06c4014b06b7013806ae012906a1011206950101068a01eb057f01d8057301c2056a01ad0561019e055b018b0552017605480164054101510539013c0533012d052c011c05240104051d01ed041501cc040a01b004060193

04fd007704f9005404f3003904f0001f04ee000104ec00df03e800bb03e8009c03e8007c03e8005803ec003603ee001603f100f802f500dc02f900bc0200019e02080184020e016402170148021f012802280108023301e8014201c8015001aa015d018e016c0172017d0150018e013801a1011a01e4014501d20100009d

006900dd009600c800b800b500da00a400fa0091001b0182003601750054016a0074015d0092015300ae014600cc013900f301330013022a00330222004f021b007502150097020f00b7020d00d8020800fe0206002003020040030000600300007f0300009f030200bd030600e303060003040c0026040f004604110066

04190084041c00a0042400c2042d00e4043500fe043e00200546003c0553005a055d007c05680096057300b8057e00d2058a00eb058f00fc059b0010069d001c06a8002b06af003a06bb004b06c4005806cc006906d3007606db008706e4009606f000a706fb00b9060401c5060e01d6061901e5062401f2062e01010735

010c0742011907f800fc000200004000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac01

0000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000ac010000

ac01600080000010f0040000000e000000000011f004000000010000000f0004f03c00000012000af0080000000f040000000a000023000bf00c000000bf0100001000ff0100000800000010f0040000000d000000000011f004000000010000000f0004f07200000012000af00800000010040000000a000093000bf036

000000800000000500810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f0040000000c000000000011f0040000000100000000000df004000000000005000f0004f03c00000012000af00800000011040000000a000023000bf00c000000bf

0100001000ff0100000800000010f0040000000b000000000011f004000000010000000f0004f07200000012000af00800000012040000000a000093000bf036000000800000000600810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f004

0000000a000000000011f0040000000100000000000df004000000000006000f0004f07200000012000af00800000013040000000a000093000bf036000000800000000700810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000009

000000000011f0040000000100000000000df004000000000007000f0004f03c00000012000af00800000014040000000a000023000bf00c000000bf0100001000ff0100000800000010f00400000008000000000011f004000000010000000f0004f07200000012000af00800000015040000000a000093000bf0360000

00800000000800810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f00400000007000000000011f0040000000100000000000df004000000000008000f0004f03c00000012000af00800000016040000000a000023000bf00c000000bf0100

001000ff0100000800000010f00400000006000000000011f004000000010000000f0004f07200000012000af00800000017040000000a000093000bf036000000800000000900810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f0040000

0005000000000011f0040000000100000000000df004000000000009000f0004f07200000012000af00800000018040000000a000093000bf036000000800000000a00810000000000820000000000830000000000840000000000850002000000bf0016001f00bf0100001000ff0100000800000010f004000000040000

00000011f0040000000100000000000df00400000000000a000f0003f00e0200000f0004f040000000010009f0100000002b270000f3200000ab270000e322000002000af0080000001c04000001020000000010f00400000003000000000011f004000000010000000f0004f04200000042010af0080000001904000002

0a000013000bf006000000ff010800080000000ff0100000006b270000462100006c27000090220000000011f004000000010000000f0004f0b600000002000af0080000001a040000020a0000b3000bf07a00000042017e00000043017e00000044010400000045c11400000046c11e0000007f01010001008001000000

008101000000008301ffffff00bf0110001000ff011000180005000500f0ff7e007e003e00000000007e003e0057007e007e000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff0100000002d270000f3200000ab27000071210000000011f004000000010000000f0004f0b600000002

000af0080000001b040000020a0000b3000bf07a00000042017e00000043017e00000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff0000000040007e007e00000040002700000000000c0010000200004000ac01

0000ac010000ac010000ac010000ac0160008000000ff0100000002b27000065220000a9270000e3220000000011f004000000010000000f0003f00e0200000f0004f040000000010009f010000000442200006f260000ce230000ef26000002000af0080000002004000001020000000010f00400000002000000000011

f004000000010000000f0004f04200000042010af0080000001d040000020a000013000bf006000000ff010800080000000ff01000000097220000af2600007b230000b0260000000011f004000000010000000f0004f0b600000002000af0080000001e040000020a0000b3000bf07a00000042017e00000043017e0000

0044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff7e000000000040007e007e00560040007e0000000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff010000000442200006f2600

00c2220000ed260000000011f004000000010000000f0004f0b600000002000af0080000001f040000020a0000b3000bf07a00000042017f00000043017e00000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff00

007e007f003e000000000028003e0000007e000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff0100000004f23000071260000ce230000ef260000000011f004000000010000000f0003f00e0200000f0004f040000000010009f0100000003b2b00005e260000b42c0000de26000002

000af0080000002404000001020000000010f00400000001000000000011f004000000010000000f0004f04200000042010af00800000021040000020a000013000bf006000000ff010800080000000ff0100000008e2b00009e260000612c00009f260000000011f004000000010000000f0004f0b600000002000af008

00000022040000020a0000b3000bf07a00000042017e00000043017e00000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff7e000000000040007e007e00570040007e0000000c0010000200004000ac010000ac01

0000ac010000ac010000ac0160008000000ff0100000003b2b00005e260000b92b0000dc260000000011f004000000010000000f0004f0b600000002000af00800000023040000020a0000b3000bf07a00000042017f00000043017e00000044010400000045c11400000046c11e0000007f010100010080010000000081

01000000008301ffffff00bf0110001000ff011000180005000500f0ff00007e007f003e000000000028003e0000007e000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff010000000352c000060260000b42c0000de260000000011f004000000010000000f0003f00e0200000f0004

f040000000010009f0100000004d2700006a2a0000cd270000e22b000002000af0080000002804000001020000000010f00400000000000000000011f004000000010000000f0004f04200000042010af00800000025040000020a000013000bf006000000ff010800080000000ff0100000008d270000bd2a00008e2700

008f2b0000000011f004000000010000000f0004f0b600000002000af00800000026040000020a0000b3000bf07a00000042017e00000043017e00000044010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff7e007e003e

00000000007e003e0057007e007e000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff0100000004f2700006a2a0000cd270000e82a0000000011f004000000010000000f0004f0b600000002000af00800000027040000020a0000b3000bf07a00000042017e00000043017e00000044

010400000045c11400000046c11e0000007f01010001008001000000008101000000008301ffffff00bf0110001000ff011000180005000500f0ff0000000040007e007e00000040002800000000000c0010000200004000ac010000ac010000ac010000ac010000ac0160008000000ff0100000004d270000642b0000cb

270000e22b0000000011f004000000010000000f0004f04200000012000af00800000001040000000e000053000bf01e000000bf0100001000cb0100000000ff01000008000403090000003f0301000100000011f00400000001000000000000000100000002000000030000000400000005000000060000000700000008

000000090000000a0000000b0000000c0000000d0000000e0000000f000000100000001100000012000000130000001400000015000000160000001700000018000000190000008700000028040000390f00004e0b0000b90f0000c60c0000740000000000240400002713000042070000a0140000c20700007400000000

0020040000300a000053070000ba0b0000d30700007400000000001c040000170f0000d7010000970f0000c70300007400000000001804000071000000ae0e0000a4070000921000007400000000001704000071000000ff0c0000db080000e30e00007400000000001604000004000000b70c0000af0800008510000074

000000000015040000c4160000000d0000601b0000e40e00007400000000001404000057160000b90c0000341b0000d70e0000740000000000130400002f16000039020000781d00001d040000740000000000120400002f16000089000000c01e00006d02000074000000000011040000c215000042000000951e000010

04000074000000000010040000230300004b0000003b0900002f0200007400000000000f040000b50200000400000010090000220200007400000000000e040000040900000e040000ff0a0000270b00007400000000000d0400000e0c0000fb0b0000ff120000fe0d00007400000000000c040000e0130000e7030000d7

150000fc0a00007400000000000b040000dc0b0000c1000000cc120000c40200007400000000000a0400001c0e0000e3080000731100005a0a0000740000000000090400009c0d00009e070000fd1100001509000074000000000008040000230d0000590600007f120000d007000074000000000007040000190f000015

050000651000008c06000074000000000006040000980c0000d104000067120000530a0000740000000000050400000d0c000010040000dd120000070b0000740000000000040400003309000027010000b7150000eb0d0000740000000000030400003309000027010000b7150000eb0d0000740000000000000000001b

000000640000008800000007000700030000000000880000000700ff4000800100000000000000000050c8bc01010001000000000000000000000000000000000002100000000000000087000000900000080040000003000000471690010000020206030504050203040300000000000000000000000000000001000000

00000000540069006d006500730020004e0065007700200052006f006d0061006e00000035169001020005050102010706020507000000000000001000000000000000000000008000000000530079006d0062006f006c000000332690010000020b06040202020202040300000000000000000000000000000001000000

0000000041007200690061006c00000022000400310888180000d00200006801000000009d5322469d53224600000000020000000000000000000000000001000100000004000310010000000000000000000000010001000000010000000000000021030000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000a506c007b400b4008000123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000002000000c001ffff120000000000000000000000000000000b00530063006f007400740020004f006c0073006f006e000b00530063006f007400740020004f006c0073006f006e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0100feff030a0000ffffffff0709020000000000c000000000000046170000004d6963726f736f667420576f

72642050696374757265000a0000004d53576f7264446f63000f000000576f72642e506963747572652e3800f439b271000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f0062006a0065006300740050006f006f006c0000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000160001000300000006000000ffffffff0000000000000000000000000000000000000000e0d0af99b040bd01e0d0af99b040bd0100000000000000000000000057006f007200640044006f00630075006d0065006e00740000000000000000000000

0000000000000000000000000000000000000000000000000000000000001a000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000001b00000000100000000000000500530075006d006d0061007200790049006e0066006f0072006d0061007400

69006f006e000000000000000000000000000000000000000000000000000000280002010500000007000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000230000000010000000000000050044006f00630075006d0065006e007400530075006d006d0061007200

790049006e0066006f0072006d006100740069006f006e000000000000000000000038000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000002b0000000010000000000000eca5c1005900090400000012bf000000000000100000000000040000

870400000e00626a626af357f357000000000000000000000000000000000000090416001e0c0000913d0100913d01001b00000000000000000000000000000000000000000000006b00000000000000ffff0f000000000000000000ffff0f000000000000000000ffff0f00000000000000000000000000000000005d00

000000009200000000000000920000009200000000000000920000000000000026020000000000002602000000000000260200001400000000000000000000005602000000000000560200000000000056020000000000005602000000000000560200000c000000620200000c00000056020000000000009a280000b600

00007a020000000000007a020000000000007a020000000000007a020000000000007a020000000000003f280000000000003f280000000000003f280000000000005f2800000200000061280000000000006128000000000000612800000000000061280000000000006128000000000000612800002400000050290000

f4010000442b00005600000085280000150000000000000000000000000000000000000026020000000000003f28000000000000000000000000000000000000000000002f250000100300003f280000000000003f280000000000003f2800000000000085280000000000005f2800000000000092000000000000009200

0000000000007a0200000000000000000000000000007a020000b52200007a020000000000005f280000000000005f280000000000005f280000000000003f2800001600000092000000220100007a0200000000000026020000000000007a020000000000005f2800000000000000000000000000000000000000000000

3a0200000e000000480200000e00000092000000000000009200000000000000920000000000000092000000000000003f280000000000005f280000000000005f280000000000005f2800000000000000000000000000005f28000000000000b40100007200000026020000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000005f280000000000007a020000000000006e0200000c00000080bb50a86236bd0156020000000000005602000000000000552800000a0000005f280000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080808080808080808080808

08080808080808080808080808080d312e0d0d436f72706f726174650d0d53656375726974790d0d506f6c6963790d0d322e205365637572650d0d332e204d6f6e69746f7220260d0d20202020526573706f6e640d0d342e20546573740d0d352e204d616e61676520260d0d20202020496d70726f76650d0d0d0d000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000

1a0400001b0400001d0400001f040000280400002a04000032040000340400003a0400003c040000450400004704000053040000550400006004000062040000690400006b04000076040000780400008304000087040000f800ef00ef00ef00ef00e600e600e600e600e600e60000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011350881422a09434a24006808006e48090411350881422a01434a1c006808006e4809040d036a000000005508016d48

00040016000400001b0400001e0400001f040000290400002a04000033040000340400003b0400003c0400004604000047040000540400005504000061040000620400006a0400006b040000770400007804000084040000850400008604000087040000fd000000000000000000000000fd000000000000000000000000

fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd0000000000000000

00000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd000000000000000000000000fd00000000

0000000000000000fd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000100000017000400000104000002040000030400000404000005040000060400000704000008040000090400000a0400000b0400000c0400000d0400000e0400000f040000100400001104000012040000130400001404000015040000160400001704000018040000190400001a0400001b0400001d04

00001e0400001f04000028040000290400002a0400003204000033040000340400003a0400003b0400003c040000450400004604000047040000530400005404000055040000600400006104000062040000690400006a0400006b04000076040000770400007804000083040000840400008504000086040000fefefefe

fefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefefe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000201013a1c001fb0c04e20b0c04e21b0141822b0151823901c1f24901d1f25b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000feff0000040002000000000000000000000000000000000001000000e0859ff2f94f6810ab9108002b27b3d930000000580100001000000001000000880000000200000090000000030000009c00000004000000a80000000500

0000bc00000007000000c800000008000000d800000009000000ec00000012000000f80000000a000000140100000c000000200100000d0000002c0100000e000000380100000f000000400100001000000048010000130000005001000002000000e40400001e00000001000000000073001e0000000100000000007300

1e0000000c00000053636f7474204f6c736f6e001e0000000100000000636f741e000000070000004e6f726d616c006c1e0000000c00000053636f7474204f6c736f6e001e0000000200000032006f741e000000130000004d6963726f736f667420576f726420382e3000004000000000000000000000004000000000ce

dc846236bd014000000000cedc846236bd01030000000100000003000000000000000300000000000000030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000feff000004000200000000000000000000000000000000000200

000002d5cdd59c2e1b10939708002b2cf9ae4400000005d5cdd59c2e1b10939708002b2cf9ae2c010000e80000000c00000001000000680000000f00000070000000050000007c0000000600000084000000110000008c00000017000000940000000b0000009c00000010000000a400000013000000ac00000016000000

b40000000d000000bc0000000c000000c900000002000000e40400001e0000000200000020000000030000000100000003000000010000000300000000000000030000006a1008000b000000000000000b000000000000000b000000000000000b000000000000001e1000000100000001000000000c100000020000001e

000000060000005469746c6500030000000100000000980000000300000000000000200000000100000036000000020000003e00000001000000020000000a0000005f5049445f475549440002000000e4040000410000004e0000007b00430045004100340036003100340045002d0041003100320042002d0031003100

440031002d0039003600450045002d003000300030003000380036003100350032003100420042007d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c455049435400f5350000d9e2ffffc01a00000800f535271d0000

0100090000035b0d00000b00fa00000000001400000026060f001e00ffffffff040014000000576f72640e004d6963726f736f667420576f7264050000000b0200000000050000000c02e306bf0c0d000000fb02000000000000000000000000000000000001000c040000002d010000040000000201010015000000fb02

adff0000000000009001000000000440001254696d6573204e657720526f6d616e004d00040000002d0101000500000009020000000004000000020101001000000026060f001600ffffffff0000d60300007b0000000e090000ce05000009000000fa02050000000000ffffff002200040000002d01020007000000fc02

0000000000000000040000002d0103000e00000024030500e8037b00d6038c00fa08cd050d09bb05e8037b0009000000fa02000000000000000000002200040000002d01040007000000fc020000ffffff000000040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000d603

00007b0000000e090000ce050000040000002d010200040000002d0103000e000000240305000d098c00fa087b00d603bb05e803cd050d098c00040000002d010400040000002d0105000800000026060f000600ffffffff010007000000fc020000ffff00000000040000002d01060009000000fa020000060000000000

00022200040000002d0107000700000018049a04de07b2010605040000002d010500040000002d01040004000000f001070007000000fc020100000000000000040000002d010700040000002d010200070000001b044f04ac0702024005040000002d010500040000002d010400040000002d010700040000002d010200

070000001b04bc02d6061f024b06040000002d010500040000002d010400030000001e00070000001604ba02d6061e024b06040000000201010015000000fb028bff000000000000bc02000000000440001254696d6573204e657720526f6d616e00ecfa040000002d01080005000000140234024b06040000002e010100

0e000000320a34024b060200040000000000bf0ce306312e3b001d00040000002e01000005000000140200000000040000002d0101000400000002010100040000002701ffff040000002d010700040000002d010200070000001b044303b607a6027a05040000002d010500040000002d010400030000001e0007000000

16044103b607a5027a050400000002010100040000002d01080005000000090200000000050000001402bb027a05040000002e01010019000000320abb027a050900040000000000bf0ce306436f72706f726174650054003b00340041003a0034003b0026003400040000002e010000050000001402987fb0a204000000

2d0101000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04ca0380072d03ac05040000002d010500040000002d010400030000001e00070000001604c90380072d03ac050400000002010100040000002d010800050000000902000000000500000014024303ac0504000000

2e01010017000000320a4303ac050800040000000000bf0ce306536563757269747941003400340041003400200027003b00040000002e010000050000001402987fb0a2040000002d0101000400000002010100040000002701ffff040000002d010700040000002d010200070000001b0452044707b403e10504000000

2d010500040000002d010400030000001e0007000000160450044607b403e1050400000002010100040000002d01080005000000090200000000050000001402ca03e105040000002e01010014000000320aca03e1050600040000000000bf0ce306506f6c69637947003b002000210034003b00040000002e0100000500

00001402987fb0a2040000002d0101000400000002010100040000002701ffff1000000026060f001600ffffffff0000f104000051000000d607000028010000040000002d01020007000000fc0200000066cc000000040000002d010900fa00000024037b00f104da00280527012e05220134051d013c05160144051001

4c050b01520506015b0501016205fc006b05f7007305f3007c05ee008505e9008b05e6009205e3009b05df00a205dc00aa05d800b305d500b905d300c005cf00ca05cd00d305c900e005c600ec05c200f705bf000306bb001206ba001c06b8002706b6003406b5004106b4004f06b3005c06b3006a06b3007806b3008606

b4009306b5009f06b700ab06b800b806ba00c406be00ce06c000db06c300e706c600f406ca000107ce000d07d3001b07d9002707de003307e4003f07ea004b07f2005507f9006207010150071e01d5071601aa0793009807ae008a07a5007c079d006f07960062078f00560788004a0782003d077d003207780026077400

19076f000a076900fc066600ef066300e4065f00d5065c00c7065a00b9065700ac0656009d0654008f0653008206520075065100680651005a0651004f0652003f0653003206530023065600170657000a065800fe055b00f2055d00e5056000d7056400cc056700bf056b00b3056f00a7057300980578008e057d008005

8200760587006b058b0065058e005c05920057059300520597004b059b004405a0003f05a4003905a7003305aa002c05ad002605b1001f05b6001805bb001205bf000c05c3000605c7000105cd00fb04d000f604d400f104da00040000002d010400040000002d01050004000000f00109000800000026060f000600ffff

ffff01001000000026060f001600ffffffff000048080000a10100001b09000095040000040000002d01020007000000fc0200000066cc000000040000002d010900fa00000024037b009308a1014808d8014c08de015208e5015908ed015e08f6016308fe01680804026d080d027208140277081d027a0825027f082f02

8408370287083e028a0845028e084d029108550295085e02980867029a086d029d087302a0087d02a3088702a7089402ab08a002ad08ac02b108b902b208c702b508d202b608dc02b708ea02b808f802b9080603b9081303b9082003b9082f03b8083e03b7084b03b5085703b4086303b2087003af087d03ac088803a908

9503a608a103a208ae039f08bb039a08c8039408d5038f08e2038908ee038308fa037b080704740811046d081f0451080c0459089404d8086704be085604c7084704cf083904d6082c04dd081e04e3081204e8080604ed08f803f208ed03f708e103fc08d4030109c4030409b7030809a9030b099d030e098e0310098003

130972031409650316095503170947031809390319092c031a091f0319091203180905031709f5021709e8021409d9021309cc021209c0020f09b3020d09a6020a09990206098a0203098002ff087202fc086702f7085a02f2084c02ee084002e9083202e4082802e0081d02de081602d9080e02d8080802d4080302d108

fd01cc08f601c808f001c508e901c208e401bf08dd01bb08d601b608cf01b108c701ae08c201a908bc01a608b501a008b0019c08aa019908a5019308a101040000002d010400040000002d01050004000000f00109000800000026060f000600ffffffff01001000000026060f001600ffffffff000006050000fe040000

ec070000d6050000040000002d01020007000000fc0200000066cc000000040000002d010900fa00000024037b00eb074b05b307fe04ad070205a70708059f070f05970714058f071a0589071e05800724057907290570072e05680732055f07370556073c0550073e0549074205400746053907490531074d0528075005

220752051c0755051107580508075c05fb065f05ef066305e4066605d8066905c9066b05bf066d05b4066e05a70670059a0670058c0672057f067205710672056306720555067005480670053d066e0531066d0523066b05170667050d06650500066205f4055f05e7055b05da055705ce055205c0054c05b4054605a805

41059c053b059005330586052c05790524058b05070506050f05320591054305770551057f055f0588056b058f057a05960585059d059105a2059e05a705aa05ad05b605b105c205b605d205bb05df05bf05ec05c205f705c6050606c9051506cb052206ce052f06cf053e06d1054c06d2055906d3056606d4057406d505

8106d4058d06d3059c06d205a906d205b806cf05c406ce05d106cd05dd06ca05e906c805f606c5050507c0050f07be051c07b9052807b6053507b1054307ad054e07a8055b07a30565079e0570079a05760797057f079305840791058a078e0590078905970785059c078105a3077e05a8077b05af077805b5077405bc07

6e05c3076a05c9076605ce076205d5075e05da075805e1075505e5075105eb074b05040000002d010400040000002d01050004000000f00109000800000026060f000600ffffffff01001000000026060f001600ffffffff0000c2030000b101000096040000a7040000040000002d01020007000000fc0200000066cc00

0000040000002d010900fa00000024037b004804a60495046e04910467048b046004840458047e0450047904480475044204700438046b04310466042804620420045d04170459040e0455040804530400044f04f7034b04f0034804e8034404df034204d9033f04d2033c04c8033904be033504b1033104a5032f049903

2b048d032a047f03270473032604680325045c0324044e0323043f03230432032304250323041603240407032504fa022604ee022804e2022a04d5022d04c8023004bd023304b0023604a4023a0497023d048a0242047c0248046f024e046202530457025a044b0261043d0268043302700426028c0438028404b1010304

dd011e04ef011504fe010d040c0206041902fe032702f8033202f3033f02ee034c02e9035802e5036402df037102da038102d7038e02d4039b02d003a702cd03b702cb03c502c803d202c703e002c503f002c503fe02c3030c03c2031903c2032603c2033303c3034003c5034f03c5035d03c7036b03c8037903c9038603

cc039303ce039e03d103ac03d503bb03d803c503dc03d403df03df03e503ec03e903fa03ed030504f2031304f7031e04fc032804fe032f040304380403043d04080443040b044904100450041404560417045d041a0462041d04690421046f04260476042b047e042e04830433048a04370490043c04960440049c044304

a1044804a604040000002d010400040000002d01050004000000f00109000800000026060f000600ffffffff0100040000002d010700040000002d010200070000001b04e500c80302002101040000002d010500040000002d010400040000002d010700040000002d010200070000001b04ea00da0320004f0104000000

2d010500040000002d010400030000001e00070000001604e900da0320004f01040000000201010015000000fb026aff000000000000bc02000000000440001254696d6573204e657720526f6d616e0060cc040000002d010900050000000902000080000500000014023d004f01040000002e01010019000000320a3d00

4f010900040000000000bf0ce306322e20536563757265004b0026002600530043004300530042004300040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04b301c00c1c0011090400

00002d010500040000002d010400040000002d010700040000002d010200070000001b040401d10c3a003f09040000002d010500040000002d010400030000001e000700000016040301d10c39003f090400000002010100040000002d0109000500000009020000800005000000140256003f09040000002e0101001d00

0000320a56003f090c00040000000000bf0ce306332e204d6f6e69746f7220264b00260026008e004b0053002a0032004a00430026007d00040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d0102000700

00001b04b801490cee003f09040000002d010500040000002d010400030000001e00070000001604b701480ced003f090400000002010100040000002d010900050000000902000080000500000014020a013f09040000002e0101001c000000320a0a013f090b00040000000000bf0ce30620202020526573706f6e6400

26002600250026006c0043003a0053004b0053005300040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b043006570b4e054f09040000002d010500040000002d010400040000002d01

0700040000002d010200070000001b043606690b6b057d09040000002d010500040000002d010400030000001e000700000016043406690b6b057d090400000002010100040000002d0109000500000009020000800005000000140288057d09040000002e01010016000000320a88057d090700040000000000bf0ce306

342e2054657374004b0026002600640043003a003200040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04e406a0034d050200040000002d010500040000002d010400040000002d01

0700040000002d010200070000001b043506b2036b053000040000002d010500040000002d010400030000001e000700000016043406b2036b052f000400000002010100040000002d0109000500000009020000800005000000140288052f00040000002e0101001c000000320a88052f000b00040000000000bf0ce306

352e204d616e6167652026004b00260026008e004b0053004b004b00420026007d00040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04e90630031e063000040000002d0105000400

00002d010400030000001e00070000001604e70630031e062f000400000002010100040000002d010900050000000902000080000500000014023b062f00040000002e0101001c000000320a3b062f000b00040000000000bf0ce30620202020496d70726f76650026002600250026003a007d00530043004b004b004300

040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff1000000026060f001600ffffffff00004a060000c50000007f060000930100001000000026060f001600ffffffff000060060000e30000006a0600007501000009000000fa0200000600

0000000000002200040000002d010a00040000002d01070008000000250302006406e70065067001040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00004a060000c400000080060000fa000000040000002d010200040000002d01

03000e000000240305007f06f9006406c4004a06f9006406e8007f06f900040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00004a0600005e0100007f06000094010000040000002d010200040000002d0103000e000000240305004a065e0164069301

7e065e0164066f014a065e01040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00003f0400000e030000e3040000430300001000000026060f001600ffffffff00005d04000024030000c50400002d03000009000000fa02000006000000000000002200

040000002d010a00040000002d010700080000002503020061042803c0042803040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00003f0400000d0300007404000043030000040000002d010200040000002d0103000e0000002403

050073040d033f042803730442036204280373040d03040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000ae0400000e030000e404000044030000040000002d010200040000002d0103000e00000024030500ae044303e3042803ae040e03bf042803

ae044303040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000fb07000007030000980800003c0300001000000026060f001600ffffffff0000190800001d0300007a0800002603000009000000fa02000006000000000000002200040000002d010a00

040000002d01070008000000250302001d08210375082103040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000fb07000006030000300800003c030000040000002d010200040000002d0103000e000000240305002f080603fb07

21032f083b031f0821032f080603040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00006308000007030000990800003c030000040000002d010200040000002d0103000e0000002403050063083b0398082103630807037408210363083b0304000000

2d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff000058060000b60400008e060000530500001000000026060f001600ffffffff00006e060000d4040000780600003505000009000000fa02000006000000000000002200040000002d010a00040000002d010700

08000000250302007206d80473063005040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff000059060000b60400008e060000eb040000040000002d010200040000002d0103000e000000240305008d06ea047206b6045906ea047206

da048d06ea04040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000580600001e0500008d06000053050000040000002d010200040000002d0103000e0000002403050058061e05720652058c061e0572062f0558061e05040000002d01040004000000

2d0105000800000026060f000600ffffffff0100040000002d0100000300000000000000}{\result {{\pict{\*\picprop\shplid1025{\sp{\sn 
shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn 
pictureBiLevel}{\sv 0}}

{\sp{\sn fillColor}{\sv 268435473}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 
1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}}\box\brdrs\brdrw5 

\picscalex59\picscaley55\piccropl0\piccropr0\piccropt0\piccropb0\picw13813\pich7463\picwgoal7831\pichgoal4231\wmetafile8\bliptag-67581320\blipupi39{\*\blipuid
 fbf8ca78605cf7e2e7c0bd605be93551}

0100090000035b0d00000b00fa00000000001400000026060f001e00ffffffff040014000000576f72640e004d6963726f736f667420576f7264050000000b02

00000000050000000c02e306bf0c0d000000fb02000000000000000000000000000000000001000c040000002d010000040000000201010015000000fb02adff

0000000000009001000000000440001254696d6573204e657720526f6d616e004d00040000002d01010005000000090200000000040000000201010010000000

26060f001600ffffffff0000d60300007b0000000e090000ce05000009000000fa02050000000000ffffff002200040000002d01020007000000fc0200000000

00000000040000002d0103000e00000024030500e8037b00d6038c00fa08cd050d09bb05e8037b0009000000fa02000000000000000000002200040000002d01

040007000000fc020000ffffff000000040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000d60300007b000000

0e090000ce050000040000002d010200040000002d0103000e000000240305000d098c00fa087b00d603bb05e803cd050d098c00040000002d01040004000000

2d0105000800000026060f000600ffffffff010007000000fc020000ffff00000000040000002d01060009000000fa0200000600000000000002220004000000

2d0107000700000018049a04de07b2010605040000002d010500040000002d01040004000000f001070007000000fc020100000000000000040000002d010700

040000002d010200070000001b044f04ac0702024005040000002d010500040000002d010400040000002d010700040000002d010200070000001b04bc02d606

1f024b06040000002d010500040000002d010400030000001e00070000001604ba02d6061e024b06040000000201010015000000fb028bff000000000000bc02

000000000440001254696d6573204e657720526f6d616e00ecfa040000002d01080005000000140234024b06040000002e0101000e000000320a34024b060200

040000000000bf0ce306312e3b001d00040000002e01000005000000140200000000040000002d0101000400000002010100040000002701ffff040000002d01

0700040000002d010200070000001b044303b607a6027a05040000002d010500040000002d010400030000001e000700000016044103b607a5027a0504000000

02010100040000002d01080005000000090200000000050000001402bb027a05040000002e01010019000000320abb027a050900040000000000bf0ce306436f

72706f726174650054003b00340041003a0034003b0026003400040000002e010000050000001402987fb0a2040000002d010100040000000201010004000000

2701ffff040000002d010700040000002d010200070000001b04ca0380072d03ac05040000002d010500040000002d010400030000001e00070000001604c903

80072d03ac050400000002010100040000002d010800050000000902000000000500000014024303ac05040000002e01010017000000320a4303ac0508000400

00000000bf0ce306536563757269747941003400340041003400200027003b00040000002e010000050000001402987fb0a2040000002d010100040000000201

0100040000002701ffff040000002d010700040000002d010200070000001b0452044707b403e105040000002d010500040000002d010400030000001e000700

0000160450044607b403e1050400000002010100040000002d01080005000000090200000000050000001402ca03e105040000002e01010014000000320aca03

e1050600040000000000bf0ce306506f6c69637947003b002000210034003b00040000002e010000050000001402987fb0a2040000002d010100040000000201

0100040000002701ffff1000000026060f001600ffffffff0000f104000051000000d607000028010000040000002d01020007000000fc0200000066cc000000

040000002d010900fa00000024037b00f104da00280527012e05220134051d013c051601440510014c050b01520506015b0501016205fc006b05f7007305f300

7c05ee008505e9008b05e6009205e3009b05df00a205dc00aa05d800b305d500b905d300c005cf00ca05cd00d305c900e005c600ec05c200f705bf000306bb00

1206ba001c06b8002706b6003406b5004106b4004f06b3005c06b3006a06b3007806b3008606b4009306b5009f06b700ab06b800b806ba00c406be00ce06c000

db06c300e706c600f406ca000107ce000d07d3001b07d9002707de003307e4003f07ea004b07f2005507f9006207010150071e01d5071601aa0793009807ae00

8a07a5007c079d006f07960062078f00560788004a0782003d077d00320778002607740019076f000a076900fc066600ef066300e4065f00d5065c00c7065a00

b9065700ac0656009d0654008f0653008206520075065100680651005a0651004f0652003f0653003206530023065600170657000a065800fe055b00f2055d00

e5056000d7056400cc056700bf056b00b3056f00a7057300980578008e057d0080058200760587006b058b0065058e005c05920057059300520597004b059b00

4405a0003f05a4003905a7003305aa002c05ad002605b1001f05b6001805bb001205bf000c05c3000605c7000105cd00fb04d000f604d400f104da0004000000

2d010400040000002d01050004000000f00109000800000026060f000600ffffffff01001000000026060f001600ffffffff000048080000a10100001b090000

95040000040000002d01020007000000fc0200000066cc000000040000002d010900fa00000024037b009308a1014808d8014c08de015208e5015908ed015e08

f6016308fe01680804026d080d027208140277081d027a0825027f082f028408370287083e028a0845028e084d029108550295085e02980867029a086d029d08

7302a0087d02a3088702a7089402ab08a002ad08ac02b108b902b208c702b508d202b608dc02b708ea02b808f802b9080603b9081303b9082003b9082f03b808

3e03b7084b03b5085703b4086303b2087003af087d03ac088803a9089503a608a103a208ae039f08bb039a08c8039408d5038f08e2038908ee038308fa037b08

0704740811046d081f0451080c0459089404d8086704be085604c7084704cf083904d6082c04dd081e04e3081204e8080604ed08f803f208ed03f708e103fc08

d4030109c4030409b7030809a9030b099d030e098e0310098003130972031409650316095503170947031809390319092c031a091f0319091203180905031709

f5021709e8021409d9021309cc021209c0020f09b3020d09a6020a09990206098a0203098002ff087202fc086702f7085a02f2084c02ee084002e9083202e408

2802e0081d02de081602d9080e02d8080802d4080302d108fd01cc08f601c808f001c508e901c208e401bf08dd01bb08d601b608cf01b108c701ae08c201a908

bc01a608b501a008b0019c08aa019908a5019308a101040000002d010400040000002d01050004000000f00109000800000026060f000600ffffffff01001000

000026060f001600ffffffff000006050000fe040000ec070000d6050000040000002d01020007000000fc0200000066cc000000040000002d010900fa000000

24037b00eb074b05b307fe04ad070205a70708059f070f05970714058f071a0589071e05800724057907290570072e05680732055f07370556073c0550073e05

49074205400746053907490531074d0528075005220752051c0755051107580508075c05fb065f05ef066305e4066605d8066905c9066b05bf066d05b4066e05

a70670059a0670058c0672057f067205710672056306720555067005480670053d066e0531066d0523066b05170667050d06650500066205f4055f05e7055b05

da055705ce055205c0054c05b4054605a80541059c053b059005330586052c05790524058b05070506050f05320591054305770551057f055f0588056b058f05

7a05960585059d059105a2059e05a705aa05ad05b605b105c205b605d205bb05df05bf05ec05c205f705c6050606c9051506cb052206ce052f06cf053e06d105

4c06d2055906d3056606d4057406d5058106d4058d06d3059c06d205a906d205b806cf05c406ce05d106cd05dd06ca05e906c805f606c5050507c0050f07be05

1c07b9052807b6053507b1054307ad054e07a8055b07a30565079e0570079a05760797057f079305840791058a078e0590078905970785059c078105a3077e05

a8077b05af077805b5077405bc076e05c3076a05c9076605ce076205d5075e05da075805e1075505e5075105eb074b05040000002d010400040000002d010500

04000000f00109000800000026060f000600ffffffff01001000000026060f001600ffffffff0000c2030000b101000096040000a7040000040000002d010200

07000000fc0200000066cc000000040000002d010900fa00000024037b004804a60495046e04910467048b046004840458047e04500479044804750442047004

38046b04310466042804620420045d04170459040e0455040804530400044f04f7034b04f0034804e8034404df034204d9033f04d2033c04c8033904be033504

b1033104a5032f0499032b048d032a047f03270473032604680325045c0324044e0323043f03230432032304250323041603240407032504fa022604ee022804

e2022a04d5022d04c8023004bd023304b0023604a4023a0497023d048a0242047c0248046f024e046202530457025a044b0261043d0268043302700426028c04

38028404b1010304dd011e04ef011504fe010d040c0206041902fe032702f8033202f3033f02ee034c02e9035802e5036402df037102da038102d7038e02d403

9b02d003a702cd03b702cb03c502c803d202c703e002c503f002c503fe02c3030c03c2031903c2032603c2033303c3034003c5034f03c5035d03c7036b03c803

7903c9038603cc039303ce039e03d103ac03d503bb03d803c503dc03d403df03df03e503ec03e903fa03ed030504f2031304f7031e04fc032804fe032f040304

380403043d04080443040b044904100450041404560417045d041a0462041d04690421046f04260476042b047e042e04830433048a04370490043c0496044004

9c044304a1044804a604040000002d010400040000002d01050004000000f00109000800000026060f000600ffffffff0100040000002d010700040000002d01

0200070000001b04e500c80302002101040000002d010500040000002d010400040000002d010700040000002d010200070000001b04ea00da0320004f010400

00002d010500040000002d010400030000001e00070000001604e900da0320004f01040000000201010015000000fb026aff000000000000bc02000000000440

001254696d6573204e657720526f6d616e0060cc040000002d010900050000000902000080000500000014023d004f01040000002e01010019000000320a3d00

4f010900040000000000bf0ce306322e20536563757265004b0026002600530043004300530042004300040000002e010000050000001402987fb0a204000000

2d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04b301c00c1c00110904000000

2d010500040000002d010400040000002d010700040000002d010200070000001b040401d10c3a003f09040000002d010500040000002d010400030000001e00

0700000016040301d10c39003f090400000002010100040000002d0109000500000009020000800005000000140256003f09040000002e0101001d000000320a

56003f090c00040000000000bf0ce306332e204d6f6e69746f7220264b00260026008e004b0053002a0032004a00430026007d00040000002e01000005000000

1402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff040000002d010700040000002d010200070000001b04b801

490cee003f09040000002d010500040000002d010400030000001e00070000001604b701480ced003f090400000002010100040000002d010900050000000902

000080000500000014020a013f09040000002e0101001c000000320a0a013f090b00040000000000bf0ce30620202020526573706f6e64002600260025002600

6c0043003a0053004b0053005300040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701

ffff040000002d010700040000002d010200070000001b043006570b4e054f09040000002d010500040000002d010400040000002d010700040000002d010200

070000001b043606690b6b057d09040000002d010500040000002d010400030000001e000700000016043406690b6b057d090400000002010100040000002d01

09000500000009020000800005000000140288057d09040000002e01010016000000320a88057d090700040000000000bf0ce306342e2054657374004b002600

2600640043003a003200040000002e010000050000001402987fb0a2040000002d010100050000000902000000000400000002010100040000002701ffff0400

00002d010700040000002d010200070000001b04e406a0034d050200040000002d010500040000002d010400040000002d010700040000002d01020007000000

1b043506b2036b053000040000002d010500040000002d010400030000001e000700000016043406b2036b052f000400000002010100040000002d0109000500

000009020000800005000000140288052f00040000002e0101001c000000320a88052f000b00040000000000bf0ce306352e204d616e6167652026004b002600

26008e004b0053004b004b00420026007d00040000002e010000050000001402987fb0a2040000002d0101000500000009020000000004000000020101000400

00002701ffff040000002d010700040000002d010200070000001b04e90630031e063000040000002d010500040000002d010400030000001e00070000001604

e70630031e062f000400000002010100040000002d010900050000000902000080000500000014023b062f00040000002e0101001c000000320a3b062f000b00

040000000000bf0ce30620202020496d70726f76650026002600250026003a007d00530043004b004b004300040000002e010000050000001402987fb0a20400

00002d010100050000000902000000000400000002010100040000002701ffff1000000026060f001600ffffffff00004a060000c50000007f06000093010000

1000000026060f001600ffffffff000060060000e30000006a0600007501000009000000fa02000006000000000000002200040000002d010a00040000002d01

070008000000250302006406e70065067001040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff0100100000002606

0f001600ffffffff00004a060000c400000080060000fa000000040000002d010200040000002d0103000e000000240305007f06f9006406c4004a06f9006406

e8007f06f900040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00004a0600005e0100007f06

000094010000040000002d010200040000002d0103000e000000240305004a065e01640693017e065e0164066f014a065e01040000002d010400040000002d01

05000800000026060f000600ffffffff01001000000026060f001600ffffffff00003f0400000e030000e3040000430300001000000026060f001600ffffffff

00005d04000024030000c50400002d03000009000000fa02000006000000000000002200040000002d010a00040000002d010700080000002503020061042803

c0042803040000002d01040004000000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff00003f040000

0d0300007404000043030000040000002d010200040000002d0103000e0000002403050073040d033f042803730442036204280373040d03040000002d010400

040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000ae0400000e030000e404000044030000040000002d010200

040000002d0103000e00000024030500ae044303e3042803ae040e03bf042803ae044303040000002d010400040000002d0105000800000026060f000600ffff

ffff01001000000026060f001600ffffffff0000fb07000007030000980800003c0300001000000026060f001600ffffffff0000190800001d0300007a080000

2603000009000000fa02000006000000000000002200040000002d010a00040000002d01070008000000250302001d08210375082103040000002d0104000400

0000f0010a00040000002d0105000800000026060f000600ffffffff01001000000026060f001600ffffffff0000fb07000006030000300800003c0300000400

00002d010200040000002d0103000e000000240305002f080603fb0721032f083b031f0821032f080603040000002d010400040000002d010500080000002606

0f000600ffffffff01001000000026060f001600ffffffff00006308000007030000990800003c030000040000002d010200040000002d0103000e0000002403

050063083b0398082103630807037408210363083b03040000002d010400040000002d0105000800000026060f000600ffffffff01001000000026060f001600

ffffffff000058060000b60400008e060000530500001000000026060f001600ffffffff00006e060000d4040000780600003505000009000000fa0200000600

0000000000002200040000002d010a00040000002d01070008000000250302007206d80473063005040000002d01040004000000f0010a00040000002d010500

0800000026060f000600ffffffff01001000000026060f001600ffffffff000059060000b60400008e060000eb040000040000002d010200040000002d010300

0e000000240305008d06ea047206b6045906ea047206da048d06ea04040000002d010400040000002d0105000800000026060f000600ffffffff010010000000

26060f001600ffffffff0000580600001e0500008d06000053050000040000002d010200040000002d0103000e0000002403050058061e05720652058c061e0572062f0558061e05040000002d010400040000002d0105000800000026060f000600ffffffff0100040000002d010000030000000000}}}}}{

\par }\pard\plain \s18\li2347\sb60\nowidctlpar\widctlpar\adjustright \b\fs20\cgrid {Figure }{\field{\*\fldinst { SEQ 
Figure \\* ARABIC }}{\fldrslt {\lang1024 1}}}{\f16 \emdash }{WGC\rquote s Security Wheel

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {\page WGC recently published an analysis of 
Internet attacks entitled }{\i ProWatch Secure Network Security Survey}{\i\f16 \emdash }{\i (May-September 1997)}{

, which describes attacks that took place at NetRanger-monitored customer sites. This paper clearly demonstrates the 
value of an IDS in a real-world environment. This paper can be downloaded from WGC\rquote s Web site at 
}{\field\flddirty{\*\fldinst {

 HYPERLINK http://www.wheelgroup.com/netrangr/PWS_survey.html }{{\*\datafield 

00d0c9ea79f9bace118c8200aa004ba90b02000000170000003300000068007400740070003a002f002f007700770077002e0077006800650065006c00670072006f00750070002e0063006f006d002f006e0065007400720061006e00670072002f005000570053005f007300750072007600650079002e00680074006d00

6c000000e0c9ea79f9bace118c8200aa004ba90b6600000068007400740070003a002f002f007700770077002e0077006800650065006c00670072006f00750070002e0063006f006d002f006e0065007400720061006e00670072002f005000570053005f007300750072007600650079002e00680074006d006c000000}}

}{\fldrslt {\cs19\ul\cf2 http://www.wheelgroup.com/netrangr/PWS_survey.html}}}{. 

\par The SNI paper also note

s that for an IDS to be useful and effective, it must detect 100% of attacks 100% of the time. This is certainly an 
admirable goal and WGC strives to meet it as often as possible. However, achieving this level of perfection is a 
challenge in all areas, in

cluding technology. As a result, the ability of an IDS to meet those numbers without severely interfering with network 
traffic is minimal. Part of SNI\rquote 

s misconception stems from a lack of understanding of ID technology in comparison with more common technologies like 
firewalls. IDSs significantly strengthen network security }{\i because}{

 their design is based on the types of attacks that are successful.

\par }\pard \s17\sa120\nowidctlpar\widctlpar\adjustright {Attacks can be grouped loosely into one of several categories:

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls1\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls1\adjustright {\b 

Reconnaissance (network mapping)

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls2\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls2\adjustright {\b 

Initial Access Attacks

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls3\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls3\adjustright {\b 

Privilege Escalation Attacks

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls4\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls4\adjustright {\b 

Exploitation of Trusted Relationships

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa240\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls5\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls5\adjustright {\b 

Denial of Service Attacks

\par }\pard \s17\sa240\nowidctlpar\widctlpar\adjustright {Not every hacker will execute every one of these types of 
attacks. But they would generally use attacks from multiple categories in order to gain successful

 unauthorized access to a network. If the IDS detects }{\i any}{ part of the attack process, it has done its job 
because it has alerted administrators that an attack is in progress. SNI\rquote s assertion in section 9.1 that 
\ldblquote 

as soon as an IDS records a \lquote successful\rquote  attack on the network, administrators should assume that all 
bets are off, and further attacks are occurring without the knowledge of the IDS,\rdblquote  is false. An IDS\rquote 

 primary responsibility is to indicate that an attack is in progress and to provide some means for

 responding to that attack. NetRanger for example, begins to record 100% of the traffic associated with the attacking 
machine as soon as an attack is detected. This allows users to meticulously reconstruct the incident and correct 
problems created by the 

attack. NetRanger continues to monitor all network traffic for attacks even after a \ldblquote successful\rdblquote  
attack, and will still capture information about further misuse, either from the same or a different source of attack.

\par Another incorrect assertion in section 9.1 is that \ldblquote \'85an attacker that successfully breaks into an 
IDS-protected network probably controls the IDS.\rdblquote 

 NetRanger was designed such that the interface capturing network traffic does not have an IP address and cannot be 
attacked. Remote management is per

formed via a separate interface that can be isolated on a private command and control network. Additionally, the 
NetRanger installation process tightens up the operating system so that all unnecessary services are removed, which 
provides further protectio

n against attacks.

\par SNI is correct in stating that it is important to build IDSs that are }{\b resistant }{to false positives and, 
more importantly, false negatives to the greatest extent possible while at the same time maintaining a useable system 
with minimal net

work performance ramifications. From its inception, NetRanger was designed to consider a variety of circumvention 
techniques that may be used to bypass its security. As a result, NetRanger considers not only the circumvention 
techniques discussed in the S

N

I paper, but also goes well beyond the cursory analysis described in the SNI paper by providing robust communications 
between all components to deliver such features as guaranteed delivery of alarms, redundant alarm systems, multiple 
routes for fault tole

rance, and many others. The remainder of this paper will specifically address SNI\rquote s claims and the legitimacy of 
ID as a security technology. In order to address each of the authors\rquote 

 arguments, this paper will be organized according to the structure of the SNI paper.

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{\page Problems with Network ID Systems

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {SNI focuses on two main issues in this 
section:

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa240\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls6\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls6\adjustright {\b 

The capture of data \ldblquote on the wire\rdblquote }{\f16 \emdash }{This is an IDS\rquote  ability to accurately 
capture all network traffic and to accurately determine which packets may or may not be dis

carded on the network. This is one of the greatest challenges facing IDSs and is one in

 which the NetRanger development team has spent significant time. The SNI paper omitted the fact that NetRanger is one 
of the only systems tested that records and analyzes }{\i all}{

 network traffic and not simply a subset of it. Some IDSs are sold on concurrent connection licenses and only monitor a 
fixed number of open sessions. On a loaded network, this type of system will ignore sessions that exceed this fixed 
threshold. Net

Ranger monitors all traffic and inserts intelligence as to which packets are legitimate. With respect to bad checksums, 
NetRanger will have the option to discard them with the release of version 3.0 due out this summer.

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa240\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls7\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls7\adjustright {\b 

The vulnerability of IDSs to denial of service attacks}{\b\f16 \emdash }{NetRanger detects and generates alarms on the 
denial of service attacks mentioned (\ldblquote ping floods\rdblquote , \ldblquote ping of death\rdblquote , and 
\ldblquote teardrop

\rdblquote  attacks). But NetRanger is also hardened against these types of attacks because it makes changes to the 
operating system to protect itself. The same cannot be said of software-only solutions that run on Windows}{\super 
\'ae}{ NT}{\super \'ae}{

 platforms. Windows NT systems are notoriously vulnerable to these types of attacks and fall prey to the situations 
that SNI mentions. Additionall

y, NetRanger generates alarms at the Director whenever it loses communications with a remote Sensor. Therefore, in the 
unlikely instance that a Sensor was crashed either through a denial of service attack, through a hardware failure, or 
if the Sensor were

 simply unplugged, the NetRanger operator would be notified that communications were down and that immediate attention 
was required.

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{Attacks & Network-Layer Problems

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {In section 4 of the SNI paper, the authors 
list various methods by which attackers can circ

umvent an IDS and discuss how these attack methodologies can be implemented by taking advantage of network-layer 
problems. SNI terms these methods insertion and evasion attacks. All of these attacks are highly sophisticated and 
would require numerous spec

ialized tools to execute in a real-world situation:

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls8\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls8\adjustright {

using bad header fields

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls8\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls8\adjustright {

changing IP options on a packet to create an invalid packet

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls8\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls8\adjustright {

using false MAC addresses

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa60\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls8\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls8\adjustright {

using IP fragmentation

\par {\pntext\pard\plain\s17 \f3\fs20\cgrid \loch\af3\dbch\af0\hich\f3 \'b7\tab}}\pard 
\s17\fi-360\li360\sa240\nowidctlpar\widctlpar\jclisttab\tx360{\*\pn 
\pnlvlblt\ilvl0\ls8\pnrnot0\pnf3\pnstart1\pnindent360\pnhang{\pntxtb \'b7}}\ls8\adjustright {

using IP spoofing.

\par }\pard \s17\sa240\nowidctlpar\widctlpar\adjustright {The authors of the SNI paper note that bad header fields can 
\ldblquote trick\rdblquote 

 the IDS into accepting packets that the targeted system would reject. The most valid form of this attack is by 
changing the checksum; NetRanger will discard these types of packets with the release of version 3.0. This type of 
attack, however

, can easily be prevented by configuring the router or firewall to reject packets with improper checksums and would be 
the most effective means to counter the attack. Other attacks of this sort are simply impractical in a real-world 
environment.

\par Changing the IP options on a packet to create an invalid packet is another method to circumvent an IDS as 

mentioned in the SNI paper. NetRanger can alarm on any IP option, and typically any securely configured network would 
not allow IP options to be accepted and passe

d across the network. Blocking of packets with IP options set can easily be accomplished with a firewall or by 
appropriately setting router filters.

\par \page An IDS can also be circumvented if the attacker uses false MAC addresses. The authors\rquote  first example 
of ad

dressing a packet only to the IDS is not valid in the case of NetRanger, which is a passive interface without an IP 
address. Therefore its MAC address would not be known to the other systems on the network. Their second example of 
sending a packet with a 

legitimate IP address and a false MAC address is plausible in theory. However, in practice, it is not likely to happen. 
This type of attack would always have to originate from the same network segment as the IDS and could not be executed 
remotely.

\par The fourth example the authors use as a method of circumventing an IDS is IP fragmentation. This topic has been 
the subject of many security forums lately because IP fragmentation can be used to generate denial of service attacks 
and can

 cause end systems to behave 

improperly. The current version of NetRanger would detect all of the types of IP fragmentation tests that SNI describes 
in their paper and would generate an IP fragmentation alarm that corresponds to that attack. In addition, IP 
fragmentation is easily st

opped on network perimeters by setting configurations in routers and firewalls.

\par SNI\rquote s final example deals with IP spoofing and its implications on UDP and TCP services. IP spoofing is 
also something that is easily prevented by perimeter firewalls and router

s with an appropriate security configuration. Spoofing is also only good for sending one-way attacks and not for 
establishing an interactive session because the return packet to the spoofed address cannot be properly routed to the 
attacker. 

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{Attacks & TCP Transport-Layer Problems

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {

The authors of the SNI paper describe in section 5 how insertion and evasion attacks can be implemented by taking 
advantage of transport-layer problems. Most of this revolves around the complicated issue of how an IDS deals with th

e establishment and subsequent tearing down of TCP connections. SNI labels the implementation of tracking a single 
connection as a \ldblquote TCP control block\rdblquote  or \ldblquote TCB.\rdblquote 

 NetRanger deals with independent TCP connections and tracks the resets of each of these connections independently. A 
unique TCP connection is identified by the following items: 

source IP address, source TCP Port, destination IP address, destination TCP port, and time. Because there is no perfect 
way to implement TCP-connection tracking without complet

ely overloading the sensing system, NetRanger was designed to cover and track traffic with the least possibility of 
circumvention of security. NetRanger is currently being designed such that various tradeoffs will be user-configurable 
at runtime to allow 

the greatest flexibility in the NetRanger configuration.

\par Section 5 of the SNI paper focuses on problems that a hacker can create with TCB creation, TCP reassembly, and TCB 
tear down. The first problem they focus on is TCB creation. They outline three ways t

hat an ID system can choose to determine an active TCP session. The first two require either a complete three-way 
handshake (3WH) or a partial 3WH. These methods have inherent problems because if any one of the packets establishing 
the connection is misse

d, the ID system will no longer monitor the remainder of that session. This is especially a problem on heavily loaded 
networks. NetRanger does not require the 3WH for monitoring data, and therefore,

 this argument does not apply. SNI also mentions that the attacker could create a false attack that does not correspond 
to any open session. In WheelGroup\rquote 

s estimation, a deliberate insertion of attack data, even to a non-existent connection, should be considered an attack, 
or at the very least a possible failed attack attempt, and should be alarmed on. 

\par The next issue addressed in Section 5 of the paper is TCP Stream Reassembly. The first problem highlighted by SNI 
affects ID systems that do not use sequence numbers for reassembly. NetRanger is not affected by these

 problems because it does remember sequence numbers. Most of the issues identified by SNI that affect NetRanger deal 
with overlapping packets within the TCP stream. NetRanger will address these types of situations properly with V3.0, 
however some of these

 will be user options since they result in significant trade-offs with stream assembly and intrusion detection 
performance.

\par The final issue addressed in Section 5 of the paper is TCB tear down. This is the point at which NetRanger ceases 
monitoring a session because it has detected an

 RST or FIN message indicating the termination of the TCP session. NetRanger is not affected by these problems because 
it continuously monitors sessions based on data synchronization and not based on the establishment and tear dow

n of independent TCP sessions.

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{Denial of Service

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {Section 6 of the SNI paper deals with 
denial of service attacks and how they can affect IDSs. They focus on two primary areas; resource exhaustion and the 
abuse of reactive IDSs

. As mentioned before, NetRanger is the only IDS to configure the host operating system in order to optimize 
performance and security. Most of the resource exhaustion issues deal with overwhelming the IDS 

with packets and useless information. NetRanger was designed such that it will not fail under such conditions, unlike 
many IDSs 

that are hosted on base configuration NT hosts. NetRanger is a scalable system that has proven to be capable of 
watching up to 85Mbps of traffic without any packet loss. Many of the techniques which would be used to choke the IDS 

would generate alarms of their own, thus rendering the attacker visible to the person monitoring the network and 
defeating the purpose of overloading the IDS itself. SNI consistently mi

sses the primary philosophy behind effective intrusion detection:  to catch an attack, and not to catch every single 
detailed event on the network.

\par The second issue raised in Section 6 of the paper deals with the misuse of reactive IDSs. NetRanger possesses 
built-in protection against this type of denial of service attacks,

 and can be configured such that it would never shun legitimate hosts or networks. Additionally, NetRanger can be 
configured such that all automated response is eliminated and the us

er can simply have a manual mechanism for terminating a session and erecting permanent barriers to traffic from the 
attacking site. Again, in this instance the IDS would serve its primary purpose of indicating an attack where 
previously no such knowl

edge would be possible.

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{Testing Methodology

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {Section 7 of the SNI paper enumerates the 
different tests run against the IDSs. These tests can be categorized into several major groups. The first seven (frag-1 
to frag-7) test

 use fragmentation in order to bypass the IDS

. For each of these attacks, the current version of NetRanger would have generated a fragmentation alarm for the type 
of traffic that they generated. Even more sophisticated IP Fragment processing will be available in V3.0 of NetRanger.

\par The next nine tests (tcp-1 to tcp-9) deal with TCP transport-layer attacks and are generally handled well by 
NetRanger. NetRanger is currently in the process of being redesigned to handle these types of attacks with a greater 
degree of assurance.

\par The next three tests (tcbc-1 to tcbc-3) deal with TCB construction and are discussed in paragraph two of the 
Attack & TCP Transport-Layer Problems section of this paper.

\par The next two tests (tcbt-1 to tcbt-2) deal with TCB tear down and would be handled properly by NetRanger as 
described in paragraph four of the Attack & TCP Transport-Layer Problems section of this paper.

\par The next three tests (insert-1 to insert-3) deal with a variety of insertion attacks. All three of these attacks 
will be properly handled in V3.0 of Ne

tRanger including checksum verification and the requirement for ACK flags set on legitimate TCP data packets.

\par The final test (evade-1) uses the technique of storing data in the SYN packet. NetRanger 3.0 will properly handle 
this type of attack.

\par }\pard\plain \s1\sb240\sa240\keepn\nowidctlpar\widctlpar\outlinelevel0\adjustright \b\f1\fs28\kerning28\cgrid 
{\page Conclusion

\par }\pard\plain \s17\sa240\nowidctlpar\widctlpar\adjustright \fs20\cgrid {

As with any new technology that comes to market, questions will be raised about its validity as well as its capability 
to provide reliable results. Intrusion detection is an important technology that complements existing security products 
to provide stron

ger security to internetworks. Many of the issues that were raised in the SNI paper are legitimate and will serve to 
strengthen IDSs as 

the technology matures. As mentioned previously, analyses of this type helps to legitimize the need for ID technology 
and endorses the value that ID can bring to an organization.

\par The major flaw with the SNI paper is its failure to examine how IDSs fit within security architectures and how 
they function properly in real-world environments. An IDS adds significant value by

 detecting and providing a response mechanism against the vast majority of attacks that are being used today. These 
attacks typically take place over wide-area networks and consist of multiple steps in order for the hacker to realize 
significant gain.



\par Orga

nizations should not be concerned about a hacker who may be able to execute one attack that evades IDS detection. A 
much greater concern should be the external or internal hacker who has defined objectives and makes his way throughout 
important networks t

o steal critical information or disrupt business activity. IDSs are extremely useful in aiding in the detection and 
prevention of these types of attacks. WheelGroup Corporation has designed its market-leading NetRanger intrusion 
detection system 

to address these risks, and we will continue to improve NetRanger as the hacking threat evolves.

\par }}

Current thread:

WheelGroup response to SNI paper George M. Jones (Feb 27)