Chapter 9Chapter 9

FirewallsFirewalls

The Need for FirewallsThe Need for Firewalls

Putting a Web server on the Internet Putting a Web server on the Internet without a firewall is dangerouswithout a firewall is dangerous– Remember in CNIT 123 how a firewall Remember in CNIT 123 how a firewall

protected your Web server from a DoS attack protected your Web server from a DoS attack created with nmapcreated with nmap

But a misconfigured firewall is not much But a misconfigured firewall is not much useuse

Firewall LandscapeFirewall Landscape

Two types of firewalls dominate the market Two types of firewalls dominate the market todaytoday– Application proxies Application proxies

More secure but slowerMore secure but slower

– Packet-filtering gateways Packet-filtering gateways Including Stateful packet-filtering gatewaysIncluding Stateful packet-filtering gateways

How Safe is a Firewall?How Safe is a Firewall?

A well-designed, -configured, and -A well-designed, -configured, and -maintained firewall is nearly impenetrable maintained firewall is nearly impenetrable

Attackers will have to work around it byAttackers will have to work around it by– Exploiting trust relationshipsExploiting trust relationships– Finding weakest-link security vulnerabilitiesFinding weakest-link security vulnerabilities– Attacking through a VPN or dial-up account Attacking through a VPN or dial-up account

Firewall Identification Firewall Identification

Why Identify a Firewall?Why Identify a Firewall?

An attacker wants to determine the type, An attacker wants to determine the type, version, and rules of every firewall on the version, and rules of every firewall on the network network

To understand their weaknesses and To understand their weaknesses and exploit themexploit them

Firewall Identification TechniquesFirewall Identification Techniques

Port scanningPort scanning

FirewalkingFirewalking

Banner grabbing, Banner grabbing,

Direct Scanning: The Noisy Direct Scanning: The Noisy Technique Technique

Some firewalls have obvious signaturesSome firewalls have obvious signatures– Check Point's FireWall-1 listens on TCP ports Check Point's FireWall-1 listens on TCP ports

256, 257, 258, and 259256, 257, 258, and 259– Check Point NG listens on TCP ports 18210, Check Point NG listens on TCP ports 18210,

18211, 18186, 18190, 18191, and 18192 as 18211, 18186, 18190, 18191, and 18192 as wellwell

– Microsoft's Proxy Server usually listens on Microsoft's Proxy Server usually listens on TCP ports 1080 and 1745TCP ports 1080 and 1745

Ways to Conceal a ScanWays to Conceal a Scan

Randomize target portsRandomize target portsRandomize target addressesRandomize target addressesRandomize source portsRandomize source portsDistributed source scansDistributed source scans– Using multiple computers on the Internet, Using multiple computers on the Internet,

each taking a small portion of the scanning each taking a small portion of the scanning targets targets

These techniques will fool most IDS These techniques will fool most IDS systems with default rulessystems with default rules

Direct Scanning Direct Scanning Countermeasures Countermeasures

Block unneeded ICMP packets at your Block unneeded ICMP packets at your border routerborder router

Use an Intrusion Detection System, such Use an Intrusion Detection System, such as Snortas Snort

IPPL is a Linux daemon that detects port IPPL is a Linux daemon that detects port scans (link Ch 901)scans (link Ch 901)

Cisco routers have ACL rules to block Cisco routers have ACL rules to block scansscans

Route Tracing Route Tracing

In the traceroute below, hop 14 is probably a In the traceroute below, hop 14 is probably a firewallfirewall– Because it's the point of NAT to the target networkBecause it's the point of NAT to the target network– The –I switch sends ICMP Packets, not Linux's The –I switch sends ICMP Packets, not Linux's

default of UDPdefault of UDP

When ICMP is blockedWhen ICMP is blocked

Hop 13 is obviously the firewall, or at least Hop 13 is obviously the firewall, or at least the first router that blocks ICMPthe first router that blocks ICMP

Route Tracing Countermeasure Route Tracing Countermeasure

Block ICMP TTL Expired packetsBlock ICMP TTL Expired packets

Banner Grabbing Banner Grabbing

Just find an open port and connect to it Just find an open port and connect to it with netcatwith netcat

Banner-Grabbing Banner-Grabbing CountermeasuresCountermeasures

Eliminate the open port on your firewallEliminate the open port on your firewall– A management port should not be open A management port should not be open

externally anywayexternally anyway

If you must leave the ports open on the If you must leave the ports open on the external interface of your firewallexternal interface of your firewall– Change the banner to display a legal warning Change the banner to display a legal warning

reminding the offender that all attempts to reminding the offender that all attempts to connect will be logged connect will be logged

Advanced Firewall Discovery Advanced Firewall Discovery

If a firewall can't be identified by port If a firewall can't be identified by port scanning, traceroute, or banner grabbingscanning, traceroute, or banner grabbing

Firewalls and their ACL rules can be Firewalls and their ACL rules can be deduced by probing targets and noticing deduced by probing targets and noticing the paths taken (or not taken) to get there the paths taken (or not taken) to get there

Simple Deduction with nmapSimple Deduction with nmap

When nmap flags a port as "filtered", one When nmap flags a port as "filtered", one of these conditions is trueof these conditions is true– No SYN/ACK packet was receivedNo SYN/ACK packet was received– No RST/ACK packet was receivedNo RST/ACK packet was received– An ICMP type 3 message (Destination An ICMP type 3 message (Destination

Unreachable) with code 13 (Communication Unreachable) with code 13 (Communication Administratively Prohibited - [RFC 1812]) was Administratively Prohibited - [RFC 1812]) was receivedreceived

Those ICMP messages reveal your Those ICMP messages reveal your firewall rulesfirewall rules

Ports 23 and 111 are filteredPorts 23 and 111 are filtered

Simple Deduction with nmap Simple Deduction with nmap Countermeasures Countermeasures

Block nmap scans with an Intrusion Block nmap scans with an Intrusion Prevention SystemPrevention System

Disable IP Unreachable messages on your Disable IP Unreachable messages on your firewallfirewall– This prevents it from sending the ICMP type This prevents it from sending the ICMP type

3, code 13 (Admin Prohibited Filter) packets3, code 13 (Admin Prohibited Filter) packets

Port Identification Port Identification

Some firewalls display a series of numbers Some firewalls display a series of numbers when you connect to themwhen you connect to them

For example, Check Point will display a For example, Check Point will display a series of numbers when you connect to its series of numbers when you connect to its SNMP management port, TCP 257. SNMP management port, TCP 257.

Port Identification CountermeasurePort Identification Countermeasure

Prevent connections to management ports Prevent connections to management ports by blocking them at your upstream routers by blocking them at your upstream routers

Scanning Through Firewalls Scanning Through Firewalls

Raw Packet TranismissionsRaw Packet Tranismissions

hping2 can send ICMP, TCP, or UDP hping2 can send ICMP, TCP, or UDP packets to a target and reports on what packets to a target and reports on what returnsreturns

That lets you interpret the results yourself, That lets you interpret the results yourself, rather than relying on nmap's programmed rather than relying on nmap's programmed analysisanalysis

Demo: Scan with nmapDemo: Scan with nmap

Demo: Scan with hping2Demo: Scan with hping2

From a Ubuntu VM (andLinux doesn't From a Ubuntu VM (andLinux doesn't work)work)

sudo apt-get install hping2sudo apt-get install hping2––S switch sends a SYN packetS switch sends a SYN packet

-c 1 sends only one packet-c 1 sends only one packet

-p 21 specifies port 21-p 21 specifies port 21

Open port returns flags=SA (SYN/ACK)Open port returns flags=SA (SYN/ACK)

Demo: Scan with hping2Demo: Scan with hping2

Closed port returns flags=RA (RST/ACK)Closed port returns flags=RA (RST/ACK)

Filtered port returns nothingFiltered port returns nothing

ICMP Type 13ICMP Type 13

Some firewalls return ICMP Type 3 with Some firewalls return ICMP Type 3 with code 13 packets, which inform you that the code 13 packets, which inform you that the firewall blocked the connection firewall blocked the connection

It's a good idea to block those ICMP Type It's a good idea to block those ICMP Type 3 with code 13 packets3 with code 13 packets

Firewalk Firewalk

Firewalk Looks Through a FirewallFirewalk Looks Through a Firewall

The target is The target is Router3Router3

We want to know We want to know which ports Router3 which ports Router3 blocks, and which blocks, and which ports it allows ports it allows throughthrough

Firewalk Phase 1: Hopcount Firewalk Phase 1: Hopcount RampingRamping

First Firewalk sends First Firewalk sends out a series of out a series of packets towards the packets towards the destination with destination with TTL=1, 2, 3, …TTL=1, 2, 3, …When the target When the target ((Router3Router3) is ) is reached, that reached, that determines the TTL determines the TTL for the next phasefor the next phase

Firewalk Phase 1: Hopcount Firewalk Phase 1: Hopcount RampingRamping

In this example, the In this example, the Target is at TTL=3, Target is at TTL=3, so all future packets so all future packets will use TTL=4will use TTL=4

Firewalk Phase 2: FirewalkingFirewalk Phase 2: Firewalking

TCP or UDP paclets TCP or UDP paclets are sent from the are sent from the scanning host to the scanning host to the DestinationDestination

They all have TTL=4They all have TTL=4

Firewalk Phase 2: FirewalkingFirewalk Phase 2: Firewalking

If a packet reaches If a packet reaches the Destination, it the Destination, it will send an "ICMP will send an "ICMP TTL expired in TTL expired in transit" messagetransit" message

If If Router3 Router3 blocks blocks the packet, there is the packet, there is no response no response

Demo: FirewalkingDemo: Firewalking

No FirewallNo Firewall

All ports are All ports are open (not open (not blocked by a blocked by a firewall)firewall)

Firewall Firewall Blocking Blocking

TCP TCP Ports Ports 85-9085-90

Those Those ports give ports give no no responseresponse

Firewalk CountermeasuresFirewalk Countermeasures

You can block "ICMP TTL expired" You can block "ICMP TTL expired" packets at the gatewaypackets at the gateway

But this may negatively affect its But this may negatively affect its performanceperformance

Because legitimate clients connecting will Because legitimate clients connecting will never know what happened to their never know what happened to their connection connection

Source Port Scanning Source Port Scanning

Destination PortsDestination PortsThis is normal traffic into a company's This is normal traffic into a company's DNS ServerDNS Server

Destination Port Filtering Destination Port Filtering So a simple stateless firewall could be set So a simple stateless firewall could be set up this way to protect that networkup this way to protect that network

Destination Port Filtering Destination Port Filtering Company workers can't use DNS!Company workers can't use DNS!

Source Port FilteringSource Port Filtering

Now users are happy, because they can Now users are happy, because they can use DNS and FTP serversuse DNS and FTP servers

Spoofing Source PortsSpoofing Source Ports

The –g option in nmap can spoof any The –g option in nmap can spoof any desired source portdesired source port

This will scan right through stateless This will scan right through stateless firewalls that use source port filteringfirewalls that use source port filtering

Source Port Scanning Source Port Scanning

This is how normal FTP worksThis is how normal FTP works

The AttackThe Attack

FpipeFpipe

Allows any traffic to be redirected to any Allows any traffic to be redirected to any chosen portchosen port

So an attack could go through port 20, So an attack could go through port 20, looking like FTP to the firewalllooking like FTP to the firewall– Loni Ch 904Loni Ch 904

Source Port Scanning Source Port Scanning CountermeasuresCountermeasures

Switch to a stateful or application-based Switch to a stateful or application-based proxy firewall that keeps better control of proxy firewall that keeps better control of incoming and outgoing connections, orincoming and outgoing connections, orDisable any communications that require Disable any communications that require more than one port combination (such as more than one port combination (such as traditional FTP)traditional FTP)And employ firewall-friendly applications And employ firewall-friendly applications such as Passive FTP that do not violate such as Passive FTP that do not violate the firewall rules the firewall rules

Packet Filtering Packet Filtering

Packet-Filtering Firewalls Packet-Filtering Firewalls

These firewalls depend on access control These firewalls depend on access control lists (ACLs), even if they are statefullists (ACLs), even if they are stateful– Check Point's FireWall-1Check Point's FireWall-1– Cisco's PIXCisco's PIX– Cisco's IOS Cisco's IOS

Liberal ACLs Liberal ACLs

Poorly written ACLs allow unwanted trafficPoorly written ACLs allow unwanted traffic

If you want to allow your ISP to perform If you want to allow your ISP to perform zone transferszone transfers– "Allow all activity from the TCP source port of "Allow all activity from the TCP source port of

53" 53" Too liberalToo liberal

– "Allow activity from the ISP's DNS server with "Allow activity from the ISP's DNS server with a TCP source port of 53 and a destination port a TCP source port of 53 and a destination port of 53." of 53."

Check Point Trickery Check Point Trickery

Check Point 3.0 and 4.0 provide ports Check Point 3.0 and 4.0 provide ports open by defaultopen by default– DNS lookups (UDP 53)DNS lookups (UDP 53)– DNS zone transfers (TCP 53)DNS zone transfers (TCP 53)– RIP (UDP 520) RIP (UDP 520)

Are all allowed from Are all allowed from anyany host to host to anyany host host and are not logged and are not logged

Control Via Port 53Control Via Port 53A compromised system can be controlled A compromised system can be controlled over port 53, right through the firewallover port 53, right through the firewall

Check Point Trickery Check Point Trickery CountermeasuresCountermeasures

Disable unnecessary traffic that was Disable unnecessary traffic that was allowed by defaultallowed by default

ICMP and UDP Tunneling ICMP and UDP Tunneling

Wrapping real data in an ICMP headerWrapping real data in an ICMP header

This creates a This creates a covert channelcovert channel

Many routers and firewalls that allow ICMP Many routers and firewalls that allow ICMP ECHO, ICMP ECHO REPLY, and UDP ECHO, ICMP ECHO REPLY, and UDP packets through will be vulnerable to this packets through will be vulnerable to this attack attack

Loki is a tool that does this (link Ch 2m)Loki is a tool that does this (link Ch 2m)

ICMP and UDP Tunneling ICMP and UDP Tunneling Countermeasure Countermeasure

Block ICMP packets at the firewallBlock ICMP packets at the firewall– You may break ICMP heartbeatsYou may break ICMP heartbeats

Application Proxy Application Proxy Vulnerabilities Vulnerabilities

Application ProxyApplication Proxy

Also called an Application GatewayAlso called an Application Gateway

An application program that runs on a An application program that runs on a firewall between two networksfirewall between two networks

No direct connections between the No direct connections between the networks are allowednetworks are allowed– Both sides must connect only to the proxyBoth sides must connect only to the proxy– The proxy makes all packet-forwarding The proxy makes all packet-forwarding

decisionsdecisions

Application ProxyApplication Proxy

Application proxies are very secure, but Application proxies are very secure, but require more memory and processor require more memory and processor resources than to other firewall resources than to other firewall technologies, such as stateful inspectiontechnologies, such as stateful inspection– Link Ch 906Link Ch 906

Hostname: localhost Hostname: localhost

Some older UNIX proxies allowed a user Some older UNIX proxies allowed a user to log directly into the proxy server itself to log directly into the proxy server itself with the user name "localhost"with the user name "localhost"

The ideal countermeasure is to not allow The ideal countermeasure is to not allow localhost logins localhost logins

Unauthenticated External Proxy Unauthenticated External Proxy AccessAccess

The firewall may restrict internal The firewall may restrict internal connections, but not access from the connections, but not access from the outsideoutside

This allows attacks likeThis allows attacks like– Using your proxy to attack other systemsUsing your proxy to attack other systems– Gaining access to your intranet from the WebGaining access to your intranet from the Web

Unauthenticated External Proxy Unauthenticated External Proxy Access CountermeasuresAccess Countermeasures

Disallow proxy access from the external Disallow proxy access from the external interface of the firewall interface of the firewall

Restrict incoming proxy traffic at your Restrict incoming proxy traffic at your border routers border routers

WinGate VulnerabilitiesWinGate Vulnerabilities

WinGate is a proxy server and WinGate is a proxy server and firewallfirewall

Very common in the 1990s for Very common in the 1990s for Internet connection sharingInternet connection sharing

Versions prior to 2.1d (1997) Versions prior to 2.1d (1997) were notoriously insecure by were notoriously insecure by default default – Links Ch 907, Ch 908Links Ch 907, Ch 908

Unauthenticated Browsing Unauthenticated Browsing

WinGate proxies allowed outsiders to WinGate proxies allowed outsiders to browse the Internet completely browse the Internet completely anonymously anonymously

Attackers could hack with little risk of Attackers could hack with little risk of getting caughtgetting caught

The unauthenticated SOCKS proxy (TCP The unauthenticated SOCKS proxy (TCP 1080 is also vulnerable 1080 is also vulnerable

Unauthenticated Browsing Unauthenticated Browsing Countermeasure Countermeasure

Restrict the bindings of specific services Restrict the bindings of specific services – Only allow the internal interface to access the Only allow the internal interface to access the

SOCKS and WWW servicesSOCKS and WWW services

Unauthenticated Telnet Unauthenticated Telnet

WinGate servers also forwarded Telnet WinGate servers also forwarded Telnet traffic anonymouslytraffic anonymously

The cure is to bind Telnet to the local The cure is to bind Telnet to the local interfacesinterfaces

File Browsing File Browsing

Default WinGate 3.0 installations allow Default WinGate 3.0 installations allow anyone to view files on the system through anyone to view files on the system through their management port (8010)their management port (8010)– With a URL like thisWith a URL like this– http://192.168.51.101:8010/c:/ http://192.168.51.101:8010/c:/

Countermeasure: upgrade to a newer Countermeasure: upgrade to a newer version of Wingateversion of Wingate

– Last modified 4-11-08Last modified 4-11-08