Presentation is loading. Please wait.

Presentation is loading. Please wait.

T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20001 A Stateful Inspection of FireWall-1 Thomas Lopatic,

Published byLucinda Parks Modified over 8 years ago

Similar presentations

Presentation on theme: "T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20001 A Stateful Inspection of FireWall-1 Thomas Lopatic,"— Presentation transcript:

1 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20001 A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TÜV data protect GmbH tl@dataprotect.com, jm@dataprotect.com Dug Song CITI at the University of Michigan dugsong@umich.edu data protect

2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20002 Overview Architecture of FireWall-1 Attacking the firewall’s state I FWZ encapsulation Attacking the firewall’s state II Attacking authentication between firewall modules Hardening FireWall-1 The big picture

3 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20003 Stateful Inspection I virtual defrag pre-inspection “connections” chain of fragments ACCEPT virtual machine ACCEPTREJECT “connections” “pending”

4 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20004 Stateful Inspection II UDP replies accepted C Cany internal client external server accepted UDP packet S UDP “connections” from a client, port C to a server, port S + wildcard port

5 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20005 Stateful Inspection III “PORT 192,168,0,2,4,36” data connection 21 201060 “PASV” 21 1060 > 1023 “227... (172,16,0,2,4,36)” FTP server 172.16.0.2 FTP client 192.168.0.2 data connection

6 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20006 Topology Solaris 172.16.0.2 172.16.0.1 194.221.6.159 Windows NT 194.221.6.149 192.168.0.1 OpenBSD 192.168.0.3 Nokia IP-440 Linux 192.168.0.2 Hub Victim networkHostile network

7 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20007 Fastmode Services non-SYN packets accepted Source port = fastmode service Destination port = fastmode service Stealth scanning (FINs,...) 172.16.0.x Internet non-SYNs

8 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20008 FTP “PORT” Parsing “PORT 172,16,0,258,p1,p2” 172.16.0.2192.168.0.2 “PORT 172,16,1349632,2,p1,p2” 1349632 = 65536 * (192 - 172) + 256 * (168 - 16) 172.16.1.2 172.16.0.2 data connection Application: bounce attack

9 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20009 FTP “PASV” Handling “XXXXXXXXXXXXXX227 (172,16,0,2,128,7)” 172.16.0.2 500 Invalid command giv 227 (172,16,0,2,128,7)192.168.0.2 Advertise small Maximal Segment Size Server replies split en: XXXXXXXXXXXXXX

10 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200010 One-way Connections I TCP header TCP payload TCP header + payload ACCEPT DROP Intranet established one-way connection

11 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200011 One-way Connections II 172.16.0.2192.168.0.2 open one-way connection datagram A datagram B open one-way connection retransmission of B [...]

12 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200012 FWZ Encapsulation I modified IP header IP payload encapsulation info (obfuscated) + 1. original d-address, original protocol 2. d-address = firewall, protocol = 94 VPN tunneling protocol Decapsulation without decryption or authentication Cannot be disabled

13 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200013 FWZ Encapsulation II Key to spoofing attacks 10.x.x.x 131.159.1.1 s-addr = 10.0.0.1 d-addr = 194.221.6.19 d-addr = 131.159.1.1 194.221.6.19 IP header encapsulation info

14 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200014 Fake “PORT” Commands FTP client 172.16.0.2 192.168.0.2 s-addr = 172.16.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.2 IP header encapsulation info “PORT 172,16,0,2,128,7” TCP header + payload fake “PORT” packet 192.168.0.1

15 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200015 RSH Error Connections I “error port is 1025” error connection 514 < 10241025 1024 RSH server 192.168.0.2 RSH client 172.16.0.2 in “connections” in “pending” Reversed matching

16 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200016 RSH Error Connections II s-addr:s-port d-addr:magic seq + 1 172.16.0.2:1024 192.168.0.2:magic 250001 s-addr:error-port d-addr:magic protocol 172.16.0.2:1025 192.168.0.2:magic 6 (TCP) s-addr:s-port d-addr:magic seq + 1 172.16.0.2:32775 192.168.0.2:magic 6 = seq + 1 = TCP seq = 5 SYN packet #2 (port info)

17 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200017 Fake UDP Requests DNS client 172.16.0.2 192.168.0.2 s-addr = 172.16.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.2 IP header encapsulation info s-port = 161 d-port = 53 UDP header fake DNS request 192.168.0.1

18 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200018 FWZ Encapsulation III Key to non-routable addresses 10.x.x.x 131.159.1.1 s-addr = 131.159.1.1 d-addr = 194.221.6.19 d-addr = 10.0.0.1 194.221.6.19 IP header encapsulation info

19 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200019 Anti-Spoofing Protection I 192.168.0.2 s-addr = 192.168.0.2 d-addr = 192.168.0.1 s-port = any d-port = 161 1. fake DNS request 2. tunnel to firewall 192.168.0.1 2. s-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 d-port = 53 1. d-addr = 192.168.0.2

20 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200020 Anti-Spoofing Protection II 192.168.0.2 s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 224.0.0.1 s-port = 53 d-port = 161 1. fake DNS request 2. tunnel to firewall 192.168.0.1 2. s-addr = 224.0.0.1 d-addr = 192.168.0.1 s-port = 161 d-port = 53 1. d-addr = 192.168.0.2

21 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200021 FireWall-1 Modules Management module GUI Filter module Port 256/TCP Security policy, status, logs Port 258/TCP Authentication methods S/Key, FWN1, FWA1

22 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200022 Inter-Module Protocol Version IP addresses Command Required authentication Management module Filter module Authentication Arguments, Result

23 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200023 S/Key Authentication Hash n (x) = Hash(Hash(... Hash(x))) = Hash(Hash n- 1 (x)) n times Seed x (password hash) Hash 100 (x) Index = 99 Hash 99 (x) Index = 1 Hash 1 (x)... Calculate seed y, Hash 100 (y) “y = MakeSeed(time(NULL))” Attack: brute force

24 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200024 FWN1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash(R 2 + K) Shared key K (“fw putkey”) Attack: choose R 2 = R 1, so that S 2 = S 1

25 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200025 FWA1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash((R 1 ^ R 2 ) + K) Shared key K (“fw putkey”) Attack: choose R 2 = 0, so that R 1 ^ R 2 = R 1 and S 2 = Hash((R 1 ^ R 2 ) + K) = Hash(R 1 + K) = S 1 To be solved: encryption

26 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200026 Hardening I Disable implicit rules DNS control connections ICMP Restrictive access rules no “any” sources or destinations deny broadcast / multicast addresses “minimal privilege” Properly configure anti-spoofing mechanism Filter protocol 94 (e.g. IP Filter)

27 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200027 Hardening II Different (virtual) IP addresses for public services Restrict control connections FWA1 authentication VPN technology More than one line of defense!

28 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200028 Fixes by Check Point Solutions by Check Point available today at http://www.checkpoint.com/techsupport

29 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200029 Problems in Inspection Unreliable / unauthenticated input Layering restrictions on inspection Layering violations in inspection Ambiguous end-to-end semantics

30 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200030 Example: Airport Security Unreliable / unauthenticated input Examining baggage tags Layering restrictions on inspection Examining shape, size, weight Layering violations in inspection Parallelizing bag content inspection Ambiguous end-to-end semantics Checking for known contraband

31 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200031 Classification of the Attacks Unreliable / unauthenticated input TCP fastmode Layering restrictions on inspection FWZ VPN encapsulation Layering violations in inspection FTP data connection handling unidirectional TCP data flow RSH error connection handling Ambiguous end-to-end semantics Parsing of FTP “PORT” commands

32 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 200032 Thanks. Thomas Lopatic tl@dataprotect.com John McDonald jm@dataprotect.com Dug Song dugsong@umich.edu

Download ppt "T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 20001 A Stateful Inspection of FireWall-1 Thomas Lopatic,"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Similar presentations

Ads by Google