Transcript Firewall Design

Firewall Vulnerabilities
Presented by Vincent J. Ohm
Topics
• Firewall design
•(Stateful) Packet Filter, Application proxy,
Personal Firewall
• OSI Stack Layer
• IP, TCP spoofing
• Applications
•sendmail
• Firewall implementation
• broad permissions, overflows, etc.
Firewalls
• Network gateway
• handles incoming & outgoing traffic
• Access manager
•blocks/grants access to services, networks
Firewall Design
(The benefits)
• Packet Filter
– scans IP address, port number
– block specific adresses, ports
– Stateful: adds connection filtering
• Application Proxy
– scans packet payload
– filter harmful data, program commands
• Personal
– combination of filter & proxy
Firewall Design
(The drawbacks)
• Packet Filter
– harmful data passes through
• Application Proxy
– unknown application vulnerabilities
OSI Stack
• Network – I.P.
– no address authentication
– address is spoofable
• Transport – T.C.P.
– sequence number enforces exclusivity
– spoof I.P. address and guess seq. number...
– T.C.P. spoofing
Applications
• Applications with vulnerabilities
– sendmail ‘WIZ’  debugging command creates root shell access
on remote server
• Methods of exploitation
– crafted data (overflows)
– commands (sendmail)
• Packet Filters can block some
• Application Proxies can block more
Firewall Implementation
• Symantec Firewall/VPN Appliance
– Password leak
• Pyramid BenHur
– Active FTP
• Kerio Personal Firewall
– Rules bypassable
• Cisco PIX
– SNMPv3, VPNC IPsec
• Check Point Firewall-1 & DeleGate application proxy
– overflows
Symantec Firewall/VPN Appliance
• Accessing firewall to change password from
unsecured terminal using web browser
• Firewall’s HTTP response, stored in browser
cache
• HTTP response contains the new password…
• …in cleartext!
• Symantec’s fix: strips password data
Pyramid BenHur Firewall
• Firewall access rules can be bypassed…
• …by sending connect request with
source port
= 20  FTP data port
• Can connect to any port
• Workaround: block all outside access from port
20 OR apply patch
Kerio Personal Firewall
• Problem with default configuration
• Firewall would allow any UDP packet through if
source port = 53  DNS port
• Intention: allow DNS responses
• Fix: allow packet only if DNS request precedes
the response
Check Point Firewall-1
• Invalid HTTP request
• Generates error message using portion of input…
• …included in format string used for call to
sprintf()
• Exploit for:
– command execution on firewall
– arbitrary code execution
DeleGate Application Proxy
•
•
•
•
Uses fixed array size for username & password
Arrays used in calls to strcpy()
Input sufficiently long strings…
…buffer overflow!
Conclusion
• Firewalls are not invulnerable
• Vulnerable by …
– Design
– Other O.S.I. Layers vulnerabilities
– Implementation flawes flaws