Firewall. Security Assessment Issues
In 1999, I wrote an article, "Firewall Is Not a Panacea," which discussed various shortcomings inherent in the technology used in firewalls (Firewalls). I hoped that domestic suppliers and, especially developers, would stop fooling customers, claiming that their firewall is a panacea for all ills, and it will solve all the customer’s problems, ensuring reliable protection all resources of the corporate network. However, this did not happen, and I want to return to this topic again. Moreover, as my experience of lecturing on information security shows, this issue is of keen interest to specialists who already use firewalls(firewall) in their organizations.
There are a number of problems that I would like to talk about and which can be illustrated with an example. A firewall is simply a fence around your network. It may be very tall or very thick so that you can climb over it or make a hole in it. But... this fence cannot detect when someone is digging a tunnel under it or trying to walk along a bridge thrown over the fence. The ITU simply restricts access to certain points outside your fence.
People make mistakes
As you know, firewalls, like other security measures, are configured by people. And people tend to make mistakes, even information security specialists. It is this fact that is used by many attackers. It is enough to find just one weakness in the firewall settings and that’s it, we can assume that “it’s your problem.” This is confirmed by various studies. For example, statistics collected in 1999 by the ICSA Association (http://www.icsa.net) show that up to 70% of all firewalls are vulnerable due to incorrect configuration and configuration. I don’t want to talk about the incompetence or low qualifications of the ITU administrator (although these reasons are by no means rare) - I will describe another example. Immediately after college, I ended up in the automation department of a large company. Internet protection was provided by a firewall, which was controlled by the administrator of the information security department. More than once I had to deal with a situation where friends from other departments of the company approached this administrator and asked to temporarily allow them access to servers with toys. Once I witnessed a shocking incident. The head of the department for working with partners approached the ITU administrator and demanded to give him access to one of the Internet resources. In reply that this was impossible, the boss threatened to give the administrator a “happy life”, after which the latter had to follow the order and change the firewall settings. The most surprising thing is that the situation does not improve over time. We recently conducted a survey in one of the organizations and found exactly the same situation there. The firewall allowed access via the ICQ, RealAudio, etc. protocols. They began to find out - it turned out that this was done at the request of an employee of one of the departments, with whom the administrator had developed friendly relations.
"Normal heroes always go around"
A fragment of a song from the children's film "Aibolit-69" perfectly illustrates the following problem inherent in firewalls. Why try to access protected resources through security measures when you can try to bypass them? This can be illustrated with an example from a related field. On Wednesday, February 21, 1990, Mary Pierham, a budget analyst for an American company, came to work. However, she was unable to go to her workplace even after dialing the four-digit code and saying code word in an access control system. Wanting to still get to work, Mary walked around the building and opened the back door using a nail file and a plastic comb. The newest security system that Mary Pierham bypassed was advertised as “failsafe and reliable” and cost tens of thousands of dollars. Similarly with firewalls, only the modem can serve as a backdoor. Do you know how many modems are installed on your network and what they are used for? Don't answer in the affirmative right away, think about it. While examining one network, the heads of the information security and automation department tore their shirts, claiming that they knew every single modem installed on their network. Having launched the Internet Scanner security analysis system, we indeed found the modems they indicated, used to update the accounting and legal systems. However, two unknown modems were also discovered. One was used by an employee of the analytical department to gain access to working directories from home. The second modem was used to access the Internet, bypassing the firewall.
Although each organization will put forward its own requirements and priorities among the three selection criteria, it is possible to clearly formulate 10 Must-Have Next-Generation Firewall Features:
- Control of application functions and their sub-applications
- Managing unknown traffic
- Scanning to detect viruses and malware in all applications, on all ports
- Ensure the same level of application visibility and control for all users and devices
- Simplify, not complicate, network security with the addition of Application Control
- Deliver the same throughput and performance with application control fully enabled
- Support for absolutely identical firewall functions in both hardware and virtual form factors
2. Your next-generation firewall must identify and control security bypass tools.
Screenshot: TCP-over-DNS tunnel network traffic. The encrypted data is transferred to the Text field. A typical firewall sees this traffic as DNS requests.
Programmers want you to be comfortable! So that you install Skype and it immediately “lights up green”. You'll enjoy the fact that you don't have to convince your administrator to write firewall rules because these applications find and use already opened pots for other applications. Such ports are often ports 80, 53, 123, 25, 110. Or the program takes and uses the proxy server settings from the browser.
Modern means of protection are not perfect. They are also written by programmers. 20 years ago, when the Internet was created, it was agreed that ports would be used to identify applications. 80 - HTTP, 25 - SMTP, 21 - FTP and so on. The situation has changed: any application can run inside these ports. Have the protections changed? Can they determine what standard port for HTTP (port 80) is another application other than HTTP running now?
Bypassing firewall rules by using non-standard ports.
There are now a wide variety of applications on your network that can be used to specifically bypass the security policies that protect your organization. How do you control it?
Security bypass tools include two classes of applications - applications that are designed natively to bypass security measures (for example, external proxies and encrypted tunnel applications (not VPN)), and applications that can be adapted to perform this task (for example, remote server management tools /desktop).
- External proxies and encrypted tunnel applications (not VPNs), equipped with a number of camouflage techniques, are specifically used to bypass security measures. Because these applications are designed to bypass security in the first place and therefore contribute to business and security risks, they provide no business value to your network.
- Remote server/desktop management tools such as RDP and Teamviewer are commonly used by help desk workers and IT professionals to improve work efficiency. They are also often used by employees of organizations to connect to home and other computers outside the corporate network, bypassing the firewall. Attackers are well aware of the use of such applications, and the officially published Verizon Data Breach Report (DBIR) has reported that these tools remote access used at one or more stages network attacks. And they are still in use.
Do they carry standard applications Is there any risk in the network? After all, both remote access applications and many encrypted tunnel applications can be used by administrators and employees. However, these same tools are increasingly being used by attackers at various stages in their sophisticated attacks. An example of such a tool in 2017 is Cobalt Strike. If organizations fail to control the use of these security circumvention tools, they will not be able to successfully implement security policies and will expose themselves to all the risks that these security controls are designed to protect against.
Requirements. Exist Various types security bypass applications, and the techniques used in each type of application are slightly different. There are public and private external proxies that can use both HTTP and HTTPS. For example, a large database of public proxies is presented on the website proxy.org (prohibited in the Russian Federation and should be prohibited on your corporate network). Private proxies are often configured based on unclassified IP addresses (for example, home computers) with applications such as PHProxy or CGIProxy. Remote access applications such as RDP, Teamviewer or GoToMyPC have legitimate uses, but must be strictly controlled due to the additional risk they introduce. Most other bypass applications (e.g. Ultrasurf, Tor, Hamachi) have no business value for your network. Regardless of the state of your security policy, your next-generation firewall should be equipped with specific techniques that allow you to identify and control all listed applications without being tied to a specific port, protocol, encryption method, or other evasion tactics.
And one more important point: Bypass applications are updated regularly, making them even more difficult to detect and control. Therefore, it is important to know how often the application control features in your firewall are updated and maintained.
Real example. Are standard protocols used on non-standard ports to your network? Can an administrator move RDP from the default port 3389 to a different port? Maybe. Can HTTP go on a different port other than 80? Not only can he, but he also walks. Can FTP server work on the Internet on a different port other than 21 - yes such great amount. Does your security system see this? If not, then this is a standard move for a company employee or hacker to evade policy checks. Just move FTP to port 25 - it turns out that your security tool thinks it's SMTP. Do your IPS or antivirus signatures only work for port 80 or 110 (POP3)? The attacker will forward the traffic to any other port. For example 10000.
28.08.2012 18:06
2050 reads
Unified Communications (UC) technology can be thought of as a new set of data and protocols using IP networks. From a security perspective, these services are not much different from other IP-based services, and best practice recommendations include technologies and techniques used to protect other services. This document describes the security issues that need to be considered when deploying unified communications systems and provides Polycom recommendations for protecting them.
Firewall related issues
United devices Polycom communications are computing devices equipped with remote control functions (using a web interface or other APIs). Just like any IT infrastructure objects, they should not be deployed outside the corporate firewall without disabling such interfaces. Polycom recommends that you deploy UC systems behind a firewall (as you would normally deploy any high-value IT resource) and use the Polycom Video Border Proxy (VBP) solution to ensure that H.323 signaling traffic and media streams bypass the firewall. This will help prevent Internet-based attackers from accidentally connecting to unprotected UC endpoints.
Internet attackers will not be able to reach open ports and services on UC devices deployed behind a firewall. External users, customers, and business partners will still be able to make video calls to the UC device.
Organizations will need to deploy a UC firewall bypass solution, such as the Polycom Video Border Proxy (VBP) solution.
Note. For those organizations that cannot afford to use a firewall to protect video terminals for economic reasons, you should disable the remote management feature in the Security -> Enable Remote Management settings menu. remote control) to completely eliminate the choice of web interface, Telnet and SNMP.
Firewall Bypass
Firewall bypass allows you to use public video services in a configuration with the organization's existing firewall without exposing the UC infrastructure or all other computers in the organization to Internet attacks. The VBP device can be used both to provide access to video communication systems to remote users and to make video calls between companies, as shown in Figure 1.
Benefit from a higher level of security. An enterprise firewall protects UC devices in the same way it protects other IT assets. External users, customers, and business partners can still make video calls to the UC device.
Other aspects to consider . Organizations should review their existing broadcast architecture network addresses(NAT). It may need to be adjusted to enable firewall bypass.
.jpg)
Security Assessment Issues
Polycom recommends periodically scanning corporate UC devices, just like any other IT resource, using vulnerability scanners to confirm the ability of system configurations to withstand identified risks. This is especially important when deploying new UC devices to ensure that all default configurations and passwords have been changed. You need to scan both devices inside and outside your organization's firewall. This gives a complete picture of possible scenarios of probable actions of attackers or abuses within the organization.
It should be noted that Polycom's product release process includes vulnerability scanning.
Benefit from a higher level of security. Vulnerability scanning can alert you when needed patches are missing or, especially important in many deployment scenarios, corporate solutions UC, about the presence of incorrect settings in the security system. There are many commercial and free scanners vulnerabilities, including Internet scanning services. Scanning performed from the outside of a corporate firewall can identify vulnerabilities that could be exploited by an attacker operating over the Internet.
Other aspects to consider. Scanning should be performed periodically to ensure that there are no changes to configurations. Scanning triggers alerts generated by firewalls and intrusion detection systems (IDS). Please note that Polycom does not provide advice regarding specific scanning tools. Organizations should conduct their own analysis to make the right choice based on their needs.
System management
From an administrative perspective, IT administrators should treat UC video devices like regular computing devices. To ensure security, administrators should use the same procedures when working with these devices as they do when working with servers.
Unused communication services should be disabled. If the organization does not plan to use SNMP protocol To monitor devices, it must be disabled. If your organization does not use a Polycom CMA (content management application) management device, Telnet should be disabled. If you use the SNMP protocol for monitoring, you must change the default value of the SNMP Community String (access passwords) parameter ("public").
Vulnerability scanners determine which services are open and accessible. Unused services should be disabled.
Benefit from a higher level of security. The fewer services are enabled, the fewer potential attack points available to attackers.
Other aspects to consider. Organizations need to periodically review system configurations to identify changes made to them. Vulnerability scanners allow you to automate this process. It is recommended to use them for periodic checks (once a month).
Questions related to using the answering machine
The answering machine feature is the ability of a video conferencing endpoint to answer incoming calls automatically. This function allows you to significantly simplify the use of the system. However, it is necessary to understand the implications for corporate system security related to the use of an answering machine.
Why is it important. Many organizations place particular importance on the convenience of an answering machine when using video calling. For example, in universities where programs are used distance learning, scheduled lectures are given by teachers in specific classrooms. Typically, connecting to scheduled conferences in remote classrooms occurs automatically, and this process depends on correct operation answering machine. In terms of security threats, the risk to the organization is relatively low, especially if random Internet attackers are unable to dial into conferences taking place in these classrooms. Polycom recognizes the need to strike a balance between security and user experience and recommends two best options to address this issue.
Organizations should assess the level of risk they can tolerate when choosing one of these options.
The safest option. Disable autoresponder.
Security risk. The risk is minimal for remote automatic connections. If the answering machine is disabled, call specific place simply impossible without active interaction with the user in the same room.
Other aspects to consider. This will not affect scheduled calls (integrates with Outlook, Polycom RMX, etc.), but the user will need a remote remote control or Touchpad control the Polycom Touch Control or other control system to answer an incoming call (just like you would phone call). Please note that if there is no answer within 30 seconds, the call will be disconnected.
Less secure option. Voicemail is enabled (no user action is required to answer an incoming call).
Security risk. Possibly remote automatic connection to video devices. To reduce your risk you can:
1. Make sure that the “Mute Auto Answer Calls” mode is set (turn off the microphone for answering machine calls). The Polycom Converged Management Appliance (CMA) may cause this setting to be reset.
2. Disable camera control at the remote site (the Polycom CMA application may cause this setting to be reset).
3. Place the camera lens cap on when the system is not in use.
4. CMA and Polycom Distributed Media Application (DMA) Application Gateway security features direct calls only to devices that have been registered to use them. Essentially, it is formed closed group devices for which autoresponder is enabled, but only affects a certain set of end devices. (See Call Server Settings in the DMA Operation Guide.)
5. Check Call Data Record (CDR) logs to track unscheduled or out-of-hours calls.
Other aspects to consider. It is important to ensure that the remote control is accessible. However, users should be aware that this mode requires them to turn on the microphone to make a call.
Meeting Room Issues
The answering machine uses a "dialer" design: external participants dial a number to communicate with the video system in the conference room. Polycom UC devices also support a different dialing scheme: video devices place a call to a meeting room from a central multipoint video conferencing server (MCU). This architecture is inherently more secure than the dial-up scheme because direct connection is not installed between end devices. If the video system in a room is not connected to the MCU server, a remote intruder simply cannot access that room, even if he has access to the MCU.
Polycom takes these capabilities even further with virtual meeting rooms using its DMA solution. This not only allows the load to be distributed across all available MCU servers, but also prevents an attacker from determining the address of a specific video conference.
It should be noted that "dial-in" in scheduled conferences is possible even when using MCU servers or meeting rooms - the MCU server will automatically route the call to the video terminals at the appointed time, providing a high level of security combined with maximum ease of use.
Security risk. This configuration requires the use of a video conferencing MCU server, such as a Polycom RMX. Its deployment should be carried out according to the recommendations outlined in this document.
Other aspects to consider. In this mode, end devices must be set to "unmute on answer".
Remote access issues
Many organizations install video endpoints remotely in small offices or home offices (SOHOs). These devices require exactly the same protection as any other remote IT resource. The most secure and easily manageable method of protection is, perhaps, VPN technology. Many vendors offer low-cost, centrally managed VPN devices that are quite suitable for protecting a video device remotely. home office. Many of them (like Aruba RAP) also include a built-in firewall feature.
Security Risk: VPN allows video devices to be logically connected to a corporate network protected by a corporate firewall. Internet users cannot access it except by bypassing the firewall during a normal video call, as with any video system. A video device that is logically connected to the corporate network is managed in the same way as other corporate video devices.
Other aspects to consider. It should be noted that some home routers (for example, 2Wire) have problems with the NAT function and the firewall bypass function. Remote VPN device avoids these problems.
Using passwords
Polycom UC devices are computing devices, and although they are not general purpose computers like servers or desktop systems, they have much the same security architecture. One example is the use of user accounts and passwords.
Every Polycom device comes with a preset default password. During its installation, like any other computing device, the password is changed. The password cannot be empty, must be of a valid length and change periodically. Polycom UC devices implement these aspects of the strong password policy.
Some organizations choose to use Microsoft's Active Directory to manage user accounts and passwords. Polycom devices support this configuration.
Security risk. Even the most well-protected device can be easily broken into if it has a weak or default password. Organizations should be aware that default password lists can be easily found online.
Log analysis
Polycom UC devices maintain a log of all outgoing and incoming calls. This log is called the CDR (Call Data Record) log. It should be regularly reviewed to determine if there has been any unintended use of the UC system by unknown or unauthorized remote devices at odd times (at night or when the room where the device is located is not occupied or scheduled for use).
The Polycom CMA management device retrieves CDR logs for analysis from all managed devices.
Other aspects to consider. IT department staff should be required to review log entries.
Encryption
The biggest risk for UC services is not eavesdropping, but attacks by malicious actors trying to gain access directly to UC devices. However, eavesdropping is also possible; exists whole line tools that do this automatically. Encrypting video communications helps prevent this threat.
UC devices should be configured to use encryption whenever possible. This will allow you to use existing devices or third-party devices that do not support encryption in UC meetings. Organizations with higher security requirements (or those that do not need to support existing legacy systems) can configure UC devices to always use encryption.
Please note that Polycom encryption is FIPS-140 certified by the US Government.
Other aspects to consider. Organizations that require "always use encryption" mode will not be able to use existing devices or third-party devices that do not support encryption.
Mobility issues
As the nature of video conferencing changes and moves from static systems (such as meeting room systems) to mobile devices (laptops or desktop systems), organizations are faced with additional security challenges. Although video communication software has built-in capabilities safe work(e.g., encryption, etc.), the device itself is exposed to risks that are not inherent in static systems - simply because the device is mobile and is outside of corporate protection.
Polycom recommends centralized video application management for mobile systems, capable of ensuring correct configuration of security parameters. The Polycom CMA management device provides this capability.
Polycom also recommends installing third-party security software on mobile devices, such as antivirus software, personal firewall applications, and configuration assurance applications. In addition, organizations must develop a strategy for implementing automatic updates OS and applications on mobile devices, as well as remote wipe of confidential data in case of loss or theft of the device.
Security risk. Without centralized security management of video system and endpoint configurations, it is impossible to predict whether a mobile device could be used as a means to launch an online attack on an organization.
Other aspects to consider. Most antivirus software providers offer client applications for mobile devices that integrate into an existing console antivirus protection organizations.
Business-to-Business Communications Best Practices
Video calls between different organizations pose unique security risks because each organization has its own security policies and controls. Unlike calls within the same organization, when making calls between different organizations, data flows must be directed only to the devices participating in the call.
The safest option. Use the meeting room.
Security risk. The risk is minimal if you exclude direct, point-to-point and inter-company calls. Endpoints in both organizations place a call to a multiparty video conferencing server (MCU) that is deployed in a non-secure area of the network (DMZ). These MCU servers are designed specifically for this type of deployment and allow end devices to be connected to a single call. It should be emphasized that the MCU server must be configured according to the recommendations outlined in this document.
Other aspects to consider. The MCU server can call both end devices at the scheduled start time of the conference. However, the remote organization must configure its endpoint device to ensure that this connection is secure.
Less secure option. Use access control lists to restrict incoming calls. We strongly recommend that you check your log frequently to identify any unexpected incoming or outgoing calls.
Security risk. Remote automatic connection to video devices is possible. Prevention measures needed unauthorized connections to the answering machine.
Other aspects to consider. You must configure firewall rules to allow incoming connections initiated by a remote device.
Issues related to device disposal and data wipe
When after the end of its useful life computing devices When the time comes for their disposal, it is necessary to erase confidential corporate data from them. Polycom UC devices have a factory reset feature that restores all factory settings to the original preset configuration. This process erases all sensitive data (address books, call histories, call logs, etc.).
Polycom recommends that you restore all UC devices to factory settings before disposing of them.
Note. When resetting your device, it is important to use the Erase Flash option to erase personal data.
Google vs Firewalls
As reported in PCWeek/RE 21, 2001, due to a temporary firewall outage at Atlanta Polytechnic University, search engine Google indexed internal network this university and was able to access student files - home addresses, social security numbers, etc.
A common misunderstanding is that a firewall does not recognize attacks and does not block them. A firewall (Firewall) is a device that first prohibits everything and then allows only the “good” things. That is, when installing a firewall, the first step is to prohibit all connections between the protected and open networks . The administrator then adds specific rules that allow certain traffic to pass through the firewall. A typical firewall configuration would deny all incoming ICMP traffic, leaving only outgoing traffic
and some incoming traffic based on UDP and TCP protocols (for example, HTTP, DNS, SMTP, etc.). This will allow employees of the protected organization to work with the Internet and deny attackers access to internal resources. However, do not forget that firewalls are simply rule-based systems that allow or deny traffic through them. Even firewalls that use stateful inspection technology do not allow one to say with certainty whether an attack is present in the traffic or not. They can only notify whether traffic matches a rule.
Attacks through firewall tunnels
Tunneling is a method of encapsulating (masking) messages of one type (which can be blocked by ITU filters) inside messages of another type. Attacks through “tunnels” arise due to the presence of corresponding properties in many network protocols.
The firewall filters network traffic and makes decisions about allowing or blocking packets based on information about the network protocol used. Usually the rules provide for an appropriate check to determine whether or not a particular protocol is enabled. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to pass into the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the framework of the permitted protocol, thereby creating a tunnel through which the attacker carries out the attack. For example, such a defect in firewalls is used to implement the LOKI attack, which allows various commands to be tunneled into ICMP Echo Requests and responses to them into ICMP Echo Replies, which significantly changes the size of the data field compared to the standard one. For firewall and any other traditional tool
network security
These actions look quite normal. For example, this is how the transmission of a password file in a 1CMR “tunnel” is displayed by the TCPdump protocol analyzer.
Another example of tunneling attacks are application-layer attacks, which involve the practice of exploiting vulnerabilities in applications by sending packets directly related to those applications. Rice. 1.3. Attack through firewall tunnels The simplest example demonstrating the use of such tunnels is Internet worms and macro viruses introduced into a corporate network in the form of attachments to email messages. If the firewall allows SMTP traffic to pass through (the author has never seen an firewall that did not do this), then " viral infection ". Let's give a more complex example. For example, a Web server operating under the control(Internet Information Server), is protected by a firewall on which only port 80 is allowed. At first glance, effective protection is provided. But only at first glance. If you are using IIS version 3.0, then contact http://www.domain.ru/default.asp. (with a dot at the end) allows an attacker to gain access to the contents of an ASP file that may store sensitive data (for example, a database access password). And even if you installed the most latest version
IIS 5.0. Moreover, a large number of rules reduces the performance of the firewall and, as a result, throughput
communication channels passing through it.
Attacks that bypass the firewall
The words of the song from the children's film "Aibolit-66" - "Normal heroes always take a detour" - perfectly illustrate the following problem inherent in firewalls. Why try to access protected resources through security measures when you can try to bypass them?
An example from a related area
On February 21, 1990, budget analyst Mary Pircham showed up for work. However, she was unable to enter her workplace even after entering the four-digit code and speaking the code word into the security system. Wanting to still enter, Mary opened the back door using a plastic fork and a pocket screwdriver. The newest security system, which Mary Pierham bypassed, was advertised as “fail-safe and reliable” and cost $44,000 [Vakka1-97].
Similarly with firewalls, only the modem can serve as a backdoor. Do you know how many modems are installed on your network and what they are used for? Don't answer in the affirmative right away, think about it. During a survey of one network, the heads of the information security and automation department tore their shirts, claiming that they knew every single modem installed on their network. By running the Internet Scanner security analysis system, we did indeed find the modems they indicated were used to update the accounting and legal system databases. However, two unknown modems were also discovered. One was used by an employee of the analytical department to gain access to working directories from home. The second modem was used to access the Internet bypassing the firewall. losses, as statistics show, are associated precisely with security incidents on the part of internal users, from the inside. It should be clarified that the firewall only inspects traffic at the boundaries between the internal network and Internet network
. If traffic exploiting security holes never passes through the firewall, then the firewall will not find any problemsPeople make mistakes
A firewall is simply a fence around your network. It may be very tall or very thick so that you can climb over it or make a hole in it. But... this fence cannot detect when someone is digging a tunnel under it or trying to walk along a bridge thrown over the fence. The ITU simply restricts access to certain points outside your fence.
As you know, firewalls, like other security measures, are configured by people. And people tend to make mistakes, even information security specialists. It is this fact that is used by many attackers.
It is enough to find just one weakness in the firewall settings and that’s it, we can assume that “it’s your problem.” This is confirmed by various studies.
"Normal heroes always take a detour"
Why try to access protected resources through security measures when you can try to bypass them? This can be illustrated with an example from a related field. On Wednesday, February 21, 1990, Mary Pierham, a budget analyst for an American company, came to work. However, she was unable to enter her workplace even after entering the four-digit code and speaking the code word into the access control system. Still wanting to get to work, Mary walked around the building and opened the back door using a nail file and a plastic comb.
The newest security system that Mary Pierham bypassed was advertised as “failsafe and reliable” and cost tens of thousands of dollars. Similarly with firewalls, only the modem can serve as a backdoor. Do you know how many modems are installed on your network and what they are used for? Don't answer in the affirmative right away, think about it. While examining one network, the heads of the information security and automation department tore their shirts, claiming that they knew every single modem installed on their network.
One was used by an employee of the analytical department to gain access to working directories from home. The second modem was used to access the Internet, bypassing the firewall.
Another example is related to the possibility of bypassing the firewall. Threats do not always come only from the outside of the ITU, from the Internet.
A large number of losses are associated precisely with security incidents on the part of internal users (statistically, up to 80% of incidents come from within). It should be clarified that the firewall only looks at traffic at the boundaries between the internal network and the Internet. If traffic exploiting security holes never passes through the firewall, then the firewall will not find any problems. In 1985, at one of the Russian shipbuilding plants, a criminal group of over 70 (!) people was exposed, which during 1981 - 1985. by introducing into information system she stole more than 200 thousand rubles using false documents for calculating salaries.
Similar cases were recorded at factories in Leningrad and Gorky. Not even the most efficient firewall could detect such activity.
Tunnels are used not only in the subway
But even viewing traffic at the border between external and internal networks does not guarantee complete protection. The firewall filters traffic and makes decisions about allowing or blocking network packets based on information about the protocol used. Generally, the rules provide appropriate testing to determine whether a particular protocol is allowed or not.
For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to pass into the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the framework of the permitted protocol, thereby creating a tunnel through which the attacker carries out the attack. The simplest example demonstrating the use of tunnels is the Internet - worms and macro viruses introduced into a corporate network in the form of attachments to email messages.
If the firewall allows SMTP traffic to pass through (and I have never seen an firewall that did not do this), then a “viral infection” can enter the internal network.
Let me give you a more complex example. For example, a Web server running Microsoft software (Internet Information Server) is protected by a firewall on which only port 80 is allowed. At first glance it is provided full protection. But only at first glance. If you are using IIS version 3.0, then contact:
http://www.domain.ru/default.asp. (with a dot at the end)
allows an attacker to gain access to the contents of an ASP file that can store confidential data (for example, a database access password).
In the RealSecure attack detection system, this attack is called "HTTP IIS 3.0 Asp Dot". And even if you installed the latest version of IIS 5.0, then even in this case you may not feel comfortable complete safety. Contact address:
http://SOMEHOST/scripts/georgi.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c%20dir%20C:\
causes the command "dir C:\" to be executed. In a similar way, you can read any file, including those containing confidential information:
http://SOMEHOST/scripts/georgi.asp/..%C1%9C..%C1%9C..%C1%9Ctest.txt
A final example is the Loki attack, which allows various commands (such as a request to transfer the password file /etc/passwd) to be tunneled into ICMP Echo Requests and responses to them into ICMP Echo Replies.
Encrypt, don't encrypt, it's all the same...
Very often from the lips of many domestic developers VPN means You can hear that the tool he developed for building virtual private networks can solve many security problems. They insist that since the protected network communicates with its opponents (remote offices, partners, customers, etc.) only via a VPN connection, then no “infection” will penetrate it.
This is partly true, but only on the condition that opponents also do not communicate with anyone through unsecured channels. And this is already difficult to imagine. And since most organizations use encryption to protect external network connections, an attacker's interest will be directed to those places on the network where the information of interest to him is likely not secure, that is, to nodes or networks with which a trusted relationship has been established. And even if VPN connections are created between a network protected by an firewall with VPN functions and a trusted network, the attacker will be able to carry out his attacks with the same efficiency.
Moreover, the effectiveness of his attacks will be even higher, since security requirements for trusted nodes and networks are much lower than all other nodes. An attacker will be able to penetrate a trusted network, and only then carry out unauthorized actions against the target of his attack from there.
In March 1995, the security administrator at the Johnson Space Center received a message that two of the center's computers had been attacked by intruders. However, as a result of the investigation, it turned out that these computers were compromised back in December 1994 and programs were installed on them to intercept user IDs and passwords. The logs from these programs contained approximately 1,300 user IDs and passwords from more than 130 systems connected to the compromised hosts.
And again about the substitution
Address spoofing is a way to hide an attacker's real address. However, it can also be used to bypass firewall protection mechanisms. Such the simplest way, like replacing the source address of network packets with an address from the protected network, can no longer mislead modern firewalls. They all use various ways protection against such substitution. However, the principle of address substitution itself remains relevant. For example, an attacker can replace his real address with the address of a node that has established a trusted relationship with the attacked system and carry out a denial of service attack on it.
Firewall - as a target of attack
Firewalls are often themselves targets of attack. Having attacked the firewall and disabled it, attackers can calmly, without fear of being detected, implement their criminal plans in relation to the resources of the protected network.
For example, since the beginning of 2001, many vulnerabilities have been discovered in the implementation of various well-known firewalls. For example, incorrect processing TCP packets with the ECE flag in the firewall ipfw or ip6fw allowed a remote attacker to bypass the created rules. Another vulnerability was discovered in BorderWare Firewall Server 6.1.2. Exploitation of this vulnerability associated with broadcasting ICMP Echo Requests led to a disruption in the availability of the BorderWare firewall.
Other firewalls have not been left out - Cisco Secure Pix Firewall, WatchGuard Firebox, etc.
Wait, who's coming? Show your passport!
The vast majority of firewalls are built on classic models access control developed in the 70s and 80s of the last century in the military departments. According to these models, a subject (user, program, process or network packet) is allowed or denied access to some object (for example, a file or a network node) upon presentation of some unique element inherent only to this subject. In 80% of cases, this element is a password. In other cases, such a unique element is a Touch Memory tablet, Smart or Proximity Card, user biometric characteristics, etc. For network package such an element is the addresses or flags found in the packet header, as well as some other parameters.
It can be seen that the weakest link in this scheme is the unique element. If the intruder somehow received this very element and presented it to the firewall, then he perceives it as “his own” and allows him to act within the rights of the entity whose secret element was unauthorizedly used. At the current pace of technology development, gaining access to such a secret element is not difficult.
It can be “overheard” when transmitted over the network using protocol analyzers, including those built into OS(for example, Network Monitor in Windows NT 4.0). It can be selected using special programs, available on the Internet, for example, using L0phtCrack for Windows or Crack for Unix.
That. Even the most powerful and reliable firewall will not protect against an intruder from entering the corporate network if the latter was able to guess or steal the password of an authorized user. Moreover, the firewall will not even detect violations, since for it the intruder who stole the password is an authorized user.
For example, on March 22, 1995, an unidentified attacker, using a stolen password and software from the Pinsk branch of BelAKB Magnatbank, entered computer network Belarusian Interbank Settlement Center and transferred 1 billion 700 million rubles to the settlement account of Aresa LTD LLC in the Soviet branch of BelAKB Promstroibank.
Administrator - God and King
Every organization has users who have virtually unlimited rights on the network. These are network administrators. They are not controlled by anyone and can do almost anything online. As a rule, they use their unlimited rights to fulfill their functional responsibilities. But imagine for a moment that the administrator is offended by something. Be it low salary, underestimation of his capabilities, revenge, etc.
There are known cases when such offended administrators “spoilt the blood” of more than one company and led to very serious damage. In the fall of 1985, the director of computer security USPA & IRA company Donald Burlison tried, through the company's management, to achieve a reduction in the amount of income tax that he constantly had to pay, and with which he was dissatisfied.
However, he was fired. Three days after being fired, he came to work and, after gaining access to the company's network, deleted 168,000 records from the insurance and trade protection database. He then launched several worm programs into the network, which were supposed to continue deleting similar entries in the future. And Russia did not stand aside.
In 1991, with the help computer equipment There was a theft of foreign currency funds from Vnesheconombank in the amount of 125.5 thousand dollars and preparations for the theft of another 500 thousand dollars. The mechanism of theft was very simple. A resident of Moscow, together with the head of the non-trading operations automation department of Vnesheconombank, opened accounts using six fake passports and deposited $50 into them. Then, by changing the banking software, 125 thousand dollars were transferred to open accounts, which were received using fake passports.
These two examples demonstrate that even the most effective firewall could not protect a corporate network if it were attacked by its administrator.
Conclusion
Firewalls do not provide sufficient security corporate networks. Although under no circumstances should they be abandoned. They will help provide the necessary, but clearly insufficient, level of protection of corporate resources. As has been noted more than once, traditional tools, which include firewalls, were built on the basis of models developed at a time when networks were not widespread and methods of attacking these networks were not as developed as they are now.
To adequately counter these attacks, it is necessary to use new technologies. For example, intrusion detection technology, which began to actively develop abroad and came to Russia four years ago. This technology prominent representative which is the RealSecure family of tools from Internet Security Systems, allows you to effectively complement existing firewalls, providing a higher level of security.