Firewalls
Firewalls are hardware or software devices designed to limit or filter traffic between a trusted and untrusted network. Firewalls are used to control traffic and limit specific activity. As an example, we can use the analogy of flying. Before you can get on the plane, you must pass a series of security checks. You must pass through a metal detector; your luggage and personal belongings are examined; and if you look suspicious, you might even be pulled aside for additional checks. Firewalls work in much the same way, as they examine traffic, limit flow, and reject traffic that they deem suspect.
This section of the Chapter examines firewalls. You will review the basic types, see how they are used to secure a network, and learn the differences between stateful and stateless inspection. Finally, this Chapter looks at some of the ways that attackers attempt to identify firewalls and how they can be probed or bypassed.
Firewall Types
Objective: Know the various firewall types such as packet filters and stateful inspection Discuss the ways in which hackers identify firewalls Describe the methods used to bypass and attack firewalls |
Firewalls act as a chokepoint to limit and inspect traffic as it enters and exits the network. Although a number of variations or types of firewalls exist, there are two basic designs:
- Packet filters
- Stateful inspection
Let's first take a look at how addresses can be handled, and then discuss packet filters and finally stateful inspection. Stateful inspection is the most advanced type.
Network Address Translation
Network Address Translation (NAT) was originally developed to address the growing need for ID addresses, and it is discussed in RFC 1631. NAT can be used to translate between private and public addresses. Private IP addresses are those that are considered unroutablebeing unroutable means that public. Internet routers will not route traffic to or from addresses in these ranges. RFC 1918 defines the three ranges of private addresses as
- 192.168.0.0192.168.255.255
- 172.16.0.0172.31.255.255
- 10.0.0.010.255.255.255
NAT enables a firewall or router to act as an agent between the Internet and the local network. The firewall or router enables a range of private addresses to be used inside the local network, whereas only a single unique IP address is required to represent this entire group of computers to the external world. NAT provides a somewhat limited amount of security because it can hide internal addresses from external systemsan example of security by obscurity. NAT can also be problematic as packets are rewritten; any application-level protocol such as IPSEC that requires the use of true IP addresses might be harder to implement in a NAT'ed environment.
Packet Filters
Packet filters were the first type of firewall to be used by many organizations around the world. The capability to implement packet filtering is built in to routers and is a natural fit with routers as they are the access point of the network. Packet filtering is configured through access control lists (ACL). ACLs enable rule sets to be built that that will allow or block traffic based on header information. As traffic passes through the router, each packet is compared to the rule set and a decision is made whether the packet will be permitted or denied. For instance, a packet filter might permit web traffic on port 80 and block Telnet traffic on port 23. These two basic rules define the packet filter. A sample ACL with both permit and deny statements is shown in the following:
no access-list 111 access-list 111 permit tcp 192.168.13.0 0.0.0.255 any eq www access-list 111 permit tcp 192.168.13.0 0.0.0.255 any eq ftp access-list 111 deny udp any any eq netbios-ns access-list 111 deny udp any any eq netbios-dgm access-list 111 deny udp any any eq netbios-ss access-list 111 deny tcp any any eq telnet access-list 111 deny icmp any any interface ethernet1 ip access-group 111 in
As seen in this example, ACLs work with header information to make a permit or deny decision. ACLs can make permit or deny decisions on any of the following categories:
- Source IP address Is it from a valid or allowed address?
- Destination IP address Is this address allowed to receive packets from this device?
- Source port Includes TCP, UDP, and ICMP.
- Destination port Includes TCP, UDP, and ICMP.
- TCP flags Includes SYN, FIN, ACK, and PSH.
- Protocol Includes protocols such as FTP, Telnet, SMTP, http, DNS, and POP3.
- Direction Can allow or deny inbound or outbound traffic.
- Interface Can be used to restrict only certain traffic on certain interfaces.
Although packet filters provide a good first level of protection, they are not perfect. They can filter on IP addresses but cannot prevent spoofing. They can also block specific ports and protocols but cannot inspect the payload of the packet. Most importantly, packet filters cannot keep up with state. This inability to keep up with state is a critical vulnerability, as it means that packet filters cannot tell if a connection started inside or outside the organization.
Consider the following example: The organization allows outgoing initiated port 21 FTP traffic but blocks inbound initiated FTP traffic. If a hacker attempted a full connect scan on port 21 to an internal client, the scan would be blocked by the router. But what if the hacker crafted an ACK scan on port 21 to the same internal client? The answer is that it would go directly to the client because the router cannot keep state. It cannot distinguish one inbound FTP packet from another. Even when the scan was blocked, a router might still give up valuable information. That's because when a packet filter receives a request for a port that isn't authorized, the packet filter might reject the request or simply drop it. A rejected packet will generate an ICMP Type 3 Code 13, Communication Administratively Prohibited. These messages are usually sent from a packet filtering router and can indicate that an ACL is blocking traffic. It clearly identifies the router. The basic concepts of bypassing and identifying packet filters are shown in Figure 10.4.
Figure 10.4. Bypassing packet filters.
Exam Alert
An ICMP Type 3 Code 13 denotes that traffic is being filtered by the router, whereas an ICMP Type 3 Code 3 indicates that client is reporting the port is closed.
After the hacker has mapped what ports and protocols are permitted or denied, a plan of attack can be devised. Hackers can use techniques such as port redirection to bypass the packet filter. Port redirection would allow a hacker to source port an attack through an allowed port on the packet filter. Tools, such as datapipe, discussed in Chapter 6, "Trojans and Backdoors," can be used. The items discussed here should be enough for you to start to see that a packet filter by itself is insufficient network protection. Stateful inspection will be needed.
Exam Alert
Filtering data on the source port of a packet isn't secure because a skilled hacker can easily change a source port on a packet, which could then pass through the filter.
Stateful Inspection
Stateful inspection firewalls are closely related to packet filters, except that they have the capability to track the status of a connection. For example, if an ACK packet arrives at the firewall that claims to be from an established connection, the stateful firewall would deny it if it did not have a record of the three-way handshake ever taking place. The packet filter would compare the packet to a ruleset and blindly forward the packet. Stateful inspection accomplishes this valuable task by maintaining a state table that maintains the record of activity connections.
Proxy servers are another option for the defense of the network. Proxy servers sit between a client and a web server and communicate with the server on behalf of the client. They stand in place of the other party and can be used to cache frequently accessed pages. Proxy servers reduce traffic and increase security by presenting a single IP address to the Internet and prevent direct access into or out of the network. Types of proxies include
- Application-level proxy Inspects the entire packet and then makes a decision based on what was discovered while inspecting the contents. This method is thorough, but slow. They work with specific applications.
- Circuit-level proxy Closely resembles a packet-filtering device, in that it makes decisions on addresses, ports, and protocols. However, they work for a wider range of protocols and applications.
In reality, most organizations use a combination of firewall technologies, such as packet filters, proxy servers, and stateful inspection. Used together with a good network design, firewalls can be quite effective. The most commonly used design is that of a demilitarized zone (DMZ). A DMZ is a protected network that sits between the untrusted Internet and the trusted internal network. Servers deployed in the DMZ need to be hardened and made more secure than the average internal computer. These systems are called bastion hosts. A bastion host is built by stripping all unneeded services from the server and configuring it for a specific role such as web or email.
Building secure hosts and using firewalls is not enough. The architecture of the network can also play a big role in the organization's overall security. Some common designs used to secure networks are shown in Table 10.3.
Configuration |
Vulnerability |
---|---|
Packet filter |
Stateless, provides only minimal protection. |
Dual-homed host |
Firewall depends on the computer that hosts it. Vulnerabilities in the OS can be used to exploit it. |
Screened host |
Might be less vulnerable than a dual-homed host as the screened host has a packet filter to screen traffic, but it is still only as secure as the OS upon which it has been installed. |
Stateful inspection |
Stateful inspection offers more protection than packet filters but can be vulnerable because of poor rule sets and permissive setting. |
DMZ |
Devices in the DMZ are more at risk than the protected inner network. The level of vulnerability depends on how well the host in the DMZ has been hardened. |
Exam Alert
Hackers prefer to move information from the inside out, as it is the least restrictive path. Assume that the hacker is already in the network when you develop rulesets and policies.
Review Break
There are many different types of firewalls and ways that devices can be used to protect a network. The following list summarizes the different technologies that have been discussed.
Name |
Category |
Attributes |
---|---|---|
NAT |
Address translation |
Hides internal addresses |
Packet filters |
Stateless inspection |
Filter based on packet header options |
Stateful inspection |
Tracks connection state |
Filtering based on packet data/state |
Proxy servers |
Caching/stateful inspection |
Application-level inspects entire packet |
Bastion host |
Hardened server |
Designed to be placed in DMZs |
DMZs |
Controlled area |
Sets between trusted/untrusted networks |
Identifying Firewalls
Now that we have spent some time reviewing firewalls, let's turn our attention to some of the ways that firewalls can be identified. This is an important topic for the ethical hacker because after an attacker has identified the firewall and its ruleset, he can attempt to determine and exploit its weaknesses. The three primary methods of identification include the following:
- Port scanning
- Firewalking
- Banner grabbing
Port scanning is one of the most popular tools used to identify firewalls and to attempt to determine the ruleset. Many firewalls have specific ports; open knowledge of this can help you identify it. Two examples of this include older versions of Microsoft Proxy Server, which has open ports on 1080 and 1745, and CheckPoints Firewall-1it listens on 256, 257, and 258. Traceroute can also be a useful tool. When used with Linux, traceroute has the I option. The I option uses ICMP packets instead of UDP packets. Although it isn't 100 percent reliable, it can help you see which hop is the last to respond and might allow you to deduce if it is a firewall or packet filter. A snippet of output from traceroute is shown in the following example:
1 10 ms <10 ms <10 ms 192.168.123.254 2 10 ms 10 ms 20 ms 192.168.10.1 ... 15 80 ms 50 ms 50 ms 10.1.1.50 client-gw.net 16 * * * Request timed out. 17 * * * Request timed out.
Hping is another useful tool for finding firewalls and identifying internal clients. It is especially useful because it allows you to do the same kind of testing; not only can it use ICMP and UDP, but it can also use TCP.
Hping can be used to traceroute hosts behind a firewall that blocks attempts using the standard traceroute utilities. Hping can also
- Perform idle scans
- Test firewall rules
- Test IDSs
Because hping uses TCP, it can be used to verify if a host is up even if ICMP packets are being blocked. In many ways, hping is similar to Netcat because it gives the hacker low level control of the packet. The difference is that Netcat gives control of the data portion of the packet; hping focuses on the header. This Linux-based tool can help probe and enumerate firewall settings.
Exam Alert
Make sure that you understand the function of hping before attempting the test. One good site to review is http://wiki.hping.org.
Firewalking is the next firewall enumeration tool. Firewalk is a firewall discovery tool that works by crafting packets with a TTL value set to expire one hop past the firewall. If the firewall allows the packet, it should forward the packet to the next hop where the packet will expire and elicit an ICMP "TTL expired in transit" message. If the firewall does not allow the traffic, the packet should be dropped and there should be no response or an ICMP "administratively prohibited" message should be returned. To use firewalk, you need the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. Results vary depending on the firewall; if the administrator blocks ICMP packets from leaving the network, the tool becomes ineffective.
Banner grabbing is one of the most well-known and well-used types of enumeration. The information generated through banner grabbing can enhance the hacker's effort to further compromise the targeted network. The three main services that send out banners include FTP, Telnet, and Web services. No specialized tools are needed for this attack. Just telnet to the IP address of the address and specify the port. Here is an example with an older Eagle Raptor Firewall:
telnet 192.168.13.254 21 (unknown) [192.168.13.254] 21 (21) open 220 Secure Gateway FTP server ready
If the firewall you are enumerating happens to be a Cisco router, there's always the chance that a Telnet or SSH has been left open for out-of-band management. Most Cisco routers have five terminal lines, so telnetting to one of those might provide additional identifying details:
[root@mg /root]# telnet 192.168.13.1 Trying 192.168.13.1... Connected to 192.168.13.1 Escape character is '^]'. Your connected to router1 User Access Verification Username:
Telnet isn't secure. Besides username password guessing, it's also vulnerable to sniffing. If you have no choice but to use Telnet for out-of-band management, you will at a minimum want to add an access list to restrict who can access the virtual terminal (vty) lines. Web servers and email servers are also available to banner grabbing. Simply telnet to the web server address followed by the port and press Enter a couple of times. You will most likely be rewarded with the web server's banner.
Bypassing Firewalls
Unfortunately, there is no secret technique to bypass every firewall that you'll encounter during your ethical hacking career. Firewalls can be defeated because of misconfiguration or liberal ACLs, but many times, it's simply easer to go around the firewall than through it. After all, firewalls cannot prevent any of the following attacks:
- Insider misuse or internal hacking Firewalls are usually located at the edge of the network and therefore cannot prevent attacks that originate inside the network perimeter.
- Attacks from secondary connections Hackers that can bypass the firewall and gain access through an unsecured wireless point or an employee's modem render the firewall useless.
- Social engineering Firewall cannot protect against social engineering attacks.
- Physical security If the hacker can just walk in and take what he wants, the firewall will be of little use even if it is properly configured.
- Poor policy or misconfiguration It sounds like an oxymoron: "You cannot deny what you permit." If the firewall is not configured properly or wasn't built around the concept of "deny all," there's the real chance that the hacker can use what's available to tunnel his way in.
Trivial FTP (TFTP) can be another useful tool for hacking firewalls. While scanning UDP ports, you will want to pay close attention to systems with port 69 open. Cisco routers allow the use of TFTP in conjunction with network servers to read and write configuration files. The configuration files are updated whenever a router configuration is changed. If you can identify TFTP, there is a good chance that you can access the configuration file and download it. Here are the basic steps:
1. |
Determine the router's name. NSLookup or Ping a can be useful.
C:>ping -a 192.168.13.1 Pinging Router1 [192.168.13.1] with 32 bytes of data: Reply from 192.168.13.1: bytes=32 time<10ms TTL=255 Reply from 192.168.13.1: bytes=32 time<10ms TTL=255 Reply from 192.168.13.1: bytes=32 time<10ms TTL=255 Reply from 192.168.13.1: bytes=32 time<10ms TTL=255 Ping statistics for 192.168.13.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |
2. |
After the router's name is known, you can then use TFTP to download it from the TFTP server.
C:>tftp -i 192.168.13.1 GET router1.cfg Transfer successful: 250 bytes in 1 second, 250 bytes/s |
3. |
If you're lucky, you will be rewarded with the router's configuration file.
|
A lot of information is there to be exploited, but before we talk about that, let's discuss another potential option should TFTP not be available. If TFTP is not available, you will also want to check and see if port 80 has been left open. If so, the router might be vulnerable to "HTTP Configuration Arbitrary Administrative Access Vulnerability." More information about this vulnerability is available at www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml. Without delving too far into the details, let's look at how this can be a big problem.
After an attacker finds that port 80 is open on the router, he can then point his browser to the IP address. At this point, you will be provided with the standard Cisco username and password prompt dialog box. Instead of guessing usernames and passwords, simply select Cancel. Then enter the following URL: http://router_ip/level/99/exec/show/config. Just remember to place the vulnerable router's IP address in the router_ip portion of the URL.
If the router is vulnerable, you will be taken to a page that contains the config file. Figure 10.5 displays what will be seen if the router is vulnerable.
Figure 10.5. Grabbing the router configuration file.
However you grab the router configuration file, via TFTP or other means, you will find that it contains a lot of information for the attacker. Let's start with the passwords shown previously. Passwords in the router.cfg file can be saved in one of three forms:
- Cleartext
- Vigenere
- MD5
Cleartext requires little explanation. Vigenere provides only weak encryption. A host of tools are available to break it. One such tool is available in Cain. Many vigenere cracking tools are also available online. One's available at www.securitystats.com/tools/ciscocrack.php. Just take the password that follows the password 7 string in the configuration file and plug it into the tool. Figure 10.6 shows an example.
Figure 10.6. Router password crack.
The most secure of the three possible password types is the MD5 version. These are discussed in more detail in Chapter 12, "Cryptographic Attacks and Defenses."
Firewalls are also vulnerable if the hacker can load a Trojan or tool on an internal client. Most firewall rules are much more restrictive going into the network. If the hacker has an accomplice inside or can trick a user into loading a Trojan, he can use this foothold to tunnel traffic out on an allowed port. Services such as DNS, web, FTP, SMTP, and ICMP are big targets for such deception. Tools such as AckCmd, ICMP Shell, Loki, and Netcat can all be used to further exploit the network. An example of this is shown in Figure 10.7, where the hacker has tricked an internal user into running Netcat on the victim's system. Netcat uses the existing outbound port of 80 to connect to the hacker's system.
Figure 10.7. Using Netcat to tunnel out through a firewall.
Exam Alert
Some networks deploy honeypots to lure attackers away from legitimate systems and divert their efforts. This type of information is something the exam will expect you to know.
Honeypots
|