T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20001 A Stateful Inspection of FireWall-1 Thomas Lopatic,

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Network Security Essentials Chapter 11
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.
OSI Model Routing Connection-oriented/Connectionless Network Services.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
Web Server Administration Chapter 10 Securing the Web Environment.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
TCP/IP Protocols Contains Five Layers
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Security fundamentals Topic 10 Securing the network perimeter.
CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Firewalls Chapter 5 Copyright Prentice-Hall 2003.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,
K. Salah1 Security Protocols in the Internet IPSec.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Security fundamentals
IPsec Problems and Solutions
Domain 4 – Communication and Network Security
Securing the Network Perimeter with ISA 2004
TCP/IP Internetworking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
TCP/IP Internetworking
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
Firewalls.
ITIS 6167/8167: Network and Information Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TÜV data protect GmbH Dug Song CITI at the University of Michigan data protect

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Overview Architecture of FireWall-1 Attacking the firewall’s state I FWZ encapsulation Attacking the firewall’s state II Attacking authentication between firewall modules Hardening FireWall-1 The big picture

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Stateful Inspection I virtual defrag pre-inspection “connections” chain of fragments ACCEPT virtual machine ACCEPTREJECT “connections” “pending”

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Stateful Inspection II UDP replies accepted C Cany internal client external server accepted UDP packet S UDP “connections” from a client, port C to a server, port S + wildcard port

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Stateful Inspection III “PORT 192,168,0,2,4,36” data connection “PASV” > 1023 “ (172,16,0,2,4,36)” FTP server FTP client data connection

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Topology Solaris Windows NT OpenBSD Nokia IP-440 Linux Hub Victim networkHostile network

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Fastmode Services non-SYN packets accepted Source port = fastmode service Destination port = fastmode service Stealth scanning (FINs,...) x Internet non-SYNs

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FTP “PORT” Parsing “PORT 172,16,0,258,p1,p2” “PORT 172,16, ,2,p1,p2” = * ( ) * ( ) data connection Application: bounce attack

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FTP “PASV” Handling “XXXXXXXXXXXXXX227 (172,16,0,2,128,7)” Invalid command giv 227 (172,16,0,2,128,7) Advertise small Maximal Segment Size Server replies split en: XXXXXXXXXXXXXX

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings One-way Connections I TCP header TCP payload TCP header + payload ACCEPT DROP Intranet established one-way connection

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings One-way Connections II open one-way connection datagram A datagram B open one-way connection retransmission of B [...]

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FWZ Encapsulation I modified IP header IP payload encapsulation info (obfuscated) + 1. original d-address, original protocol 2. d-address = firewall, protocol = 94 VPN tunneling protocol Decapsulation without decryption or authentication Cannot be disabled

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FWZ Encapsulation II Key to spoofing attacks 10.x.x.x s-addr = d-addr = d-addr = IP header encapsulation info

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Fake “PORT” Commands FTP client s-addr = d-addr = d-addr = IP header encapsulation info “PORT 172,16,0,2,128,7” TCP header + payload fake “PORT” packet

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings RSH Error Connections I “error port is 1025” error connection 514 < RSH server RSH client in “connections” in “pending” Reversed matching

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings RSH Error Connections II s-addr:s-port d-addr:magic seq : :magic s-addr:error-port d-addr:magic protocol : :magic 6 (TCP) s-addr:s-port d-addr:magic seq : :magic 6 = seq + 1 = TCP seq = 5 SYN packet #2 (port info)

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Fake UDP Requests DNS client s-addr = d-addr = d-addr = IP header encapsulation info s-port = 161 d-port = 53 UDP header fake DNS request

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FWZ Encapsulation III Key to non-routable addresses 10.x.x.x s-addr = d-addr = d-addr = IP header encapsulation info

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Anti-Spoofing Protection I s-addr = d-addr = s-port = any d-port = fake DNS request 2. tunnel to firewall s-addr = d-addr = s-port = 161 d-port = d-addr =

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Anti-Spoofing Protection II s-addr = d-addr = d-addr = s-port = 53 d-port = fake DNS request 2. tunnel to firewall s-addr = d-addr = s-port = 161 d-port = d-addr =

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FireWall-1 Modules Management module GUI Filter module Port 256/TCP Security policy, status, logs Port 258/TCP Authentication methods S/Key, FWN1, FWA1

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Inter-Module Protocol Version IP addresses Command Required authentication Management module Filter module Authentication Arguments, Result

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings S/Key Authentication Hash n (x) = Hash(Hash(... Hash(x))) = Hash(Hash n- 1 (x)) n times Seed x (password hash) Hash 100 (x) Index = 99 Hash 99 (x) Index = 1 Hash 1 (x)... Calculate seed y, Hash 100 (y) “y = MakeSeed(time(NULL))” Attack: brute force

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FWN1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash(R 2 + K) Shared key K (“fw putkey”) Attack: choose R 2 = R 1, so that S 2 = S 1

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings FWA1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash((R 1 ^ R 2 ) + K) Shared key K (“fw putkey”) Attack: choose R 2 = 0, so that R 1 ^ R 2 = R 1 and S 2 = Hash((R 1 ^ R 2 ) + K) = Hash(R 1 + K) = S 1 To be solved: encryption

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Hardening I Disable implicit rules DNS control connections ICMP Restrictive access rules no “any” sources or destinations deny broadcast / multicast addresses “minimal privilege” Properly configure anti-spoofing mechanism Filter protocol 94 (e.g. IP Filter)

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Hardening II Different (virtual) IP addresses for public services Restrict control connections FWA1 authentication VPN technology More than one line of defense!

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Fixes by Check Point Solutions by Check Point available today at

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Problems in Inspection Unreliable / unauthenticated input Layering restrictions on inspection Layering violations in inspection Ambiguous end-to-end semantics

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Example: Airport Security Unreliable / unauthenticated input Examining baggage tags Layering restrictions on inspection Examining shape, size, weight Layering violations in inspection Parallelizing bag content inspection Ambiguous end-to-end semantics Checking for known contraband

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Classification of the Attacks Unreliable / unauthenticated input TCP fastmode Layering restrictions on inspection FWZ VPN encapsulation Layering violations in inspection FTP data connection handling unidirectional TCP data flow RSH error connection handling Ambiguous end-to-end semantics Parsing of FTP “PORT” commands

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings Thanks. Thomas Lopatic John McDonald Dug Song

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.