Unified communications security. Polycom Recommendations
Google vs Firewalls
As reported in PCWeek/RE 21, 2001, due to a temporary firewall outage at Atlanta Polytechnic University, search engine Google indexed the university's intranet and was able to access files about students - home addresses, social security numbers, etc.
A common misunderstanding is that a firewall does not recognize attacks and does not block them. Firewall(ITU) is a device that first prohibits everything and then allows only “good” things. That is, when installing a firewall, the first step is to prohibit all connections between the protected and open networks . The administrator then adds specific rules that allow certain traffic to pass through the firewall. A typical firewall configuration would prohibit all incoming traffic
ICMP, leaving only outgoing traffic and some incoming traffic based on UDP and TCP protocols (for example, HTTP, DNS, SMTP, etc.) allowed. This will allow employees of the protected organization to work with the Internet and deny attackers access to internal resources. However, do not forget that firewalls are simply rule-based systems that allow or deny traffic through them. Even firewalls that use stateful inspection technology do not allow one to say with certainty whether an attack is present in the traffic or not. They can only notify whether traffic matches a rule.
A good analogy can be drawn with the physical world. A firewall is simply a fence around your network that cannot be detected when someone digs under it. The ITU simply restricts access to certain points outside your fence. And in order not to be unfounded, we will give several examples when firewalls will not save you from intruders [Lukatsky1-01].
Attacks through firewall tunnels Tunneling is a method of encapsulating (masking) messages of one type (which can be blocked by ITU filters) inside messages of another type. Attacks through “tunnels” arise due to the presence of corresponding properties in many network protocols. and makes decisions about allowing or blocking packets based on information about the network protocol used. Usually the rules provide for an appropriate check to determine whether or not a particular protocol is enabled. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to pass into the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the framework of the permitted protocol, thereby creating a tunnel through which the attacker carries out the attack. For example, such a defect in firewalls is used to implement the LOKI attack, which allows tunneling various commands
into ICMP Echo Requests and reactions to them into ICMP Echo Reply responses, which significantly changes the size of the data field compared to the standard one. For firewall and any other traditional tool network security
These actions look quite normal. For example, this is how the transmission of a password file in a 1CMR “tunnel” is displayed by the TCPdump protocol analyzer.
Another example of tunneling attacks are application-layer attacks, which involve the practice of exploiting vulnerabilities in applications by sending packets directly related to those applications.
Rice. 1.3. Attack through firewall tunnels The simplest example demonstrating the use of such tunnels is Internet worms and macro viruses introduced into a corporate network in the form of attachments to messages. Email . If the firewall allows SMTP traffic to pass through (the author has never seen an firewall that did not do this), then " viral infection ". Let's give more complex example . For example, a Web server running software Microsoft company (Internet Information Server), is protected by a firewall on which only port 80 is allowed. At first glance, it is provided effective protection . But only at first glance. If you are using IIS version 3.0, then contact http://www.domain.ru/default.asp.(with a dot at the end) allows an attacker to gain access to the contents of an ASP file that may store sensitive data (for example, a database access password). And even if you installed the most
Moreover, a large number of rules reduces the performance of the firewall and, as a result, throughput communication channels passing through it.
Attacks that bypass the firewall
The words of the song from the children's film "Aibolit-66" - "Normal heroes always take a detour" - illustrate this perfectly next problem inherent in firewalls. Why try to access protected resources through security measures when you can try to bypass them?
An example from a related area
On February 21, 1990, budget analyst Mary Pircham showed up for work. However, she was unable to go to her workplace even after dialing the four-digit code and saying code word in the security system. Wanting to still enter, Mary opened the back door using a plastic fork and a pocket screwdriver. The newest security system, which Mary Pierham bypassed, was advertised as “fail-safe and reliable” and cost $44,000 [Vakka1-97].
Similarly with firewalls, only the modem can serve as a backdoor. Do you know how many modems are installed on your network and what they are used for? Don't answer in the affirmative right away, think about it. During a survey of one network, the heads of the information security and automation department tore their shirts, claiming that they knew every single modem installed on their network. Having launched the Internet Scanner security analysis system, we indeed found the modems they indicated, used to update the accounting and legal systems. However, two unknown modems were also discovered.
One was used by an employee of the analytical department to gain access to working directories from home. The second modem was used to access the Internet bypassing the firewall. Another example is related to the possibility of bypassing the firewall. Threats do not always come only from the outside of the ITU, from the Internet. A large number of losses, as statistics show, are associated precisely with security incidents on the part of internal users, from the inside. It should be clarified that the firewall only inspects traffic at the boundaries between the internal network and
Internet network. If traffic exploiting security holes never passes through the firewall, then the firewall will not find any problems Firewall or firewall- a complex of hardware or software in accordance with given rules.The main purpose of a firewall is to protect computer networks or individual nodes from unauthorized access. Also, firewalls are often called filters, since their main task is not to let through (filter) packets that do not meet the criteria defined in the configuration.
Depending on the coverage of controlled data flows, firewalls are divided into:
traditional network(or internetwork) screen- the program (or an integral part operating system) on a gateway (a server that transmits traffic between networks) or hardware solution that controls incoming and outgoing data flows between connected networks.
personal firewall- program installed on user computer and designed to protect only this computer from unauthorized access.
network level, when filtering occurs based on the addresses of the sender and recipient of packets, port numbers of the transport layer of the OSI model and static rules specified by the administrator;
session level(also known as stateful) - tracking sessions between applications that do not allow packets that violate TCP/IP specifications to pass through, often used in malicious operations - resource scanning, hacking through incorrect TCP/IP implementations, dropped/slow connections, data injection.
application level, filtering based on analysis of application data transmitted within the packet. These types of screens allow you to block the transmission of unwanted and potentially harmful information based on policies and settings.
stateless(simple filtering), which do not monitor current connections (for example, TCP), but filter the data stream solely based on static rules;
stateful,(context-aware filtering), monitoring current connections and passing only those packets that satisfy the logic and algorithms of the corresponding protocols and applications. These types of firewalls make it possible to more effectively combat various types DoS attacks and vulnerabilities of some network protocols. In addition, they provide the functioning of protocols such as H.323, SIP, FTP, etc., which use complex circuits transfer of data between recipients, difficult to describe by static rules, and, often, incompatible with standard ones, stateless firewalls.
^ Threat from within. Threats do not always come only from the outside of the ITU, from the Internet. A large number of losses are associated precisely with security incidents on the part of internal users (statistically, up to 80% of incidents come from within). It should be clarified that the firewall only looks at traffic at the boundaries between the internal network and the Internet. If traffic exploiting security holes never passes through the firewall, then the firewall will not find any problems.
Tunnels. The firewall filters traffic and makes decisions about allowing or blocking network packets based on information about the protocol used. Generally, the rules provide appropriate testing to determine whether a particular protocol is allowed or not. For example, if ports 25 and 80 are allowed on the ITU, then mail (SMTP) and Web (HTTP) traffic is allowed to pass into the internal network. It is this processing principle that is used by skilled attackers. All unauthorized activity is carried out within the framework of the permitted protocol, thereby creating a tunnel through which the attacker carries out the attack. The simplest example demonstrating the use of tunnels is Internet worms and macro viruses introduced into a corporate network in the form of attachments to email messages. If the firewall allows SMTP traffic to pass through (and I have never seen an firewall that did not do this), then a “viral infection” can enter the internal network.A common modern covert channel attack is the Loki attack. This attack uses the ICMP protocol to transmit data, although the protocol was not designed to be used in this way, it is only intended to send status and error messages. But someone has developed a special tool (Loki) that allows an attacker to write data immediately after the ICMP header.
This allows an attacker to communicate with another system through a covert channel. This attack is often quite successful because most firewalls are configured to allow incoming and outgoing ICMP traffic. This is a hidden channel, because... it uses a protocol for communication that was not designed for this purpose. Detailed information about the Loki attack can be found at http://xforce.iss.net/xforce/xfdb/1452.
Encryption. Very often from the lips of many domestic developers VPN means You can hear that the tool he developed for building virtual private networks can solve many security problems. They insist that since the protected network communicates with its opponents (remote offices, partners, customers, etc.) only via a VPN connection, then no “infection” will penetrate it. This is partly true, but only on the condition that opponents also do not communicate with anyone through unsecured channels. And this is already difficult to imagine. And since most organizations use encryption to protect external network connections, the attacker's interest will be directed to those places in the network where the information of interest to him is likely not secure, that is, to nodes or networks with which trusted relationships have been established. And even if VPN connections are created between a network protected by an firewall with VPN functions and a trusted network, the attacker will be able to carry out his attacks with the same efficiency. Moreover, the effectiveness of his attacks will be even higher, since security requirements for trusted nodes and networks are much lower than all other nodes. An attacker will be able to penetrate a trusted network, and only then carry out unauthorized actions against the target of his attack from there.
^ Vulnerabilities in firewalls. Having attacked the firewall and disabled it, attackers can calmly, without fear of being detected, implement their criminal plans in relation to the resources of the protected network. For example, since the beginning of 2001, many vulnerabilities have been discovered in the implementation of various well-known firewalls.
^Address spoofing- This is a way to hide the real address of an attacker. However, it can also be used to bypass firewall protection mechanisms. Such a simple method as replacing the source address of network packets with an address from the protected network can no longer fool modern firewalls. They all use various ways protection against such substitution. However, the principle of address substitution itself remains relevant. For example, an attacker can replace his real address to the address of a node that has established a trusted relationship with the attacked system and implement a denial of service attack against it.
Example on slide
- Category: Uncategorized
Most corporate networks are surrounded by undemocratic firewalls around the perimeter, protecting internal users from themselves and deterring novice hackers. Meanwhile, for an experienced hacker, even a high-quality and well-configured firewall is not an obstacle.
A firewall (also known as a firewall) in general is a set of systems that provide the appropriate level of access control, achieved by controlling passing traffic according to a more or less flexible set of criteria (rules of behavior). In short, a firewall allows only that portion of traffic that is explicitly allowed by the administrator and blocks everything else.
Two types of firewalls dominate the market - packet filters, also called packet filter gateways, and application proxies. An example of the first type is Firewall from Check Point, and the second is Microsoft Proxy Server.
Packet filters are completely transparent to users and are very performant, but they are not reliable enough. In fact, they are a type of router that receives packets from both outside and inside the network, and decides what to do with them - pass them on or destroy them, if necessary, notifying the sender that his packet has died. Most firewalls of this type operate at the IP level, and the completeness of IP protocol support and the quality of filtering leave much to be desired, so an attacker can easily deceive them. On home computers, such firewalls still make sense, but if you have even a bad router, they only increase the cost of the system without giving anything in return, since the same packet filtering rules can be set on the router!
Software proxies are ordinary proxy servers that listen on specified ports (for example, 25, 110, 80) and support interaction with a predetermined list of network services. Unlike filters that transmit IP packets “as is,” proxies independently collect TCP packets, snatch user data from them, stick a new header on them and parse the received packet again into IP, performing address translation if necessary. If the firewall does not contain errors, it will no longer be possible to deceive it at the network level; in addition, it hides the structure from the attacker internal network- only the firewall remains outside. And to achieve the highest security, the administrator can organize on the firewall additional procedures authorizations and authentications, “pouncing” on the enemy even at the far lines of defense. These were the virtues. As for the disadvantages, software proxies limit users in the choice of applications. They work much slower than packet filters and greatly reduce performance (especially on fast channels).
Both types of firewalls usually include a more or less stripped-down version of the Intruder Detection System (IDS), which analyzes the nature of network requests and identifies potentially dangerous actions - access to non-existent ports (typical for scanning), packets with a TTL of one, (typical for tracing), etc. All this makes the attack much more difficult, and the hacker has to act very carefully, since any wrong step will immediately give him away. However, the intelligence of integrated recognition systems is quite low, and most self-respecting administrators shift this task to the shoulders of specialized packages, such as Real Secure from Internet Security System.
Depending on the network configuration, the firewall may be installed on a dedicated computer or may share system resources with someone else. Personal firewalls, widely used in Windows world, in the vast majority of cases, are installed directly on the protected computer itself. If this packet filter is implemented without errors, then the security of the system does not suffer at all and it is just as difficult to attack it as on a dedicated firewall. Local software proxies protect the computer only from certain types of attacks (for example, they block the sending of Trojans through IE), leaving the system completely open. In UNIX-like systems, a packet filter is present initially, and the standard package includes a large number of different proxy servers, so there is no need to purchase additional software.
What a firewall does and does not protect against
Packet filters generally allow you to close all incoming/outgoing TCP ports, completely or partially block some protocols (for example, ICMP), prevent connections to these IP addresses, etc. A properly configured network should consist of at least two zones: internal corporate network(corporate network), surrounded by a firewall and populated by workstations, network printers, intranet servers, database servers and other resources of this type; as well as a demilitarized zone, or DMZ for short, in which public servers accessible from the Internet are located. A firewall configured for the most draconian level of security should:
close all ports except those that belong to public network services(HTTP, FTP, SMTP, etc.);
packets arriving on a given port should be sent to those and only those nodes on which the corresponding services are installed (for example, if the WWW server is located on node A and the FTP server is on node B, then the packet directed to port 80 of node B must blocked by firewall);
block incoming connections from an external network directed to the corporate network (however, in this case, network users will not be able to work with external FTP servers in active mode);
block outgoing connections from the DMZ zone directed to the internal network (excluding FTP and DNS servers that require outgoing connections);
block incoming connections from the DMZ zone directed to the internal network (if this is not done, then an attacker who has seized control of one of the public servers will easily penetrate the corporate network).
block incoming connections to the DMZ zone from an external network via service protocols that are often used for attacks (for example, ICMP; however, completely blocking ICMP creates big problems, in particular, ping stops working and becomes impossible automatic detection most preferred MTU);
block incoming/outgoing connections to ports and/or external network IP addresses specified by the administrator.
In fact, the role of a firewall comes down to protecting the corporate network from any curious people wandering around the Internet. However, the strength of this fence is only apparent. If a corporate network client uses a vulnerable version of a browser or email client (and most software is vulnerable!), the attacker only needs to lure him to a Trojanized WEB page or send him an email with a virus inside, and in a short time the local network will be affected. Even if outgoing connections from the corporate network are prohibited, the shellcode will be able to use the already established TCP connection through which it was sent to the attacked host, transferring control of the remote system to the hacker.
The firewall itself can be the target of an attack, because it, like any complex program, is not without holes and vulnerabilities. Holes in firewalls are discovered almost every year and are not immediately plugged (especially if the firewall is implemented at the “hardware” level). It's funny, but a bad firewall not only does not increase, but even worsens the security of the system (primarily this applies to personal firewalls, which are popular in Lately unusually high).
Firewall Detection and Identification
The key to a successful attack is the timely detection and identification of the firewall (or, in general, the IDS, but in the context of this article we will assume that it is combined with the firewall).
Most firewalls discard packets that have expired TTL (Time To Live), thereby blocking route tracing and exposing themselves. Some routers do the same thing, however, as mentioned above, there is no fundamental difference between a router and a packet filter.
Route tracing is usually done by the traceroute utility, which supports tracing through ICMP protocols and UDP, with ICMP being blocked much more often. Having selected a node that is known to be protected by a firewall (for example, www.intel.ru), we will try to trace the route to it with the command traceroute -I wwww.intel.ru.
$traceroute -I wwww.intel.ru
Trace route to bouncer.glb.intel.com
1 1352 ms 150 ms 150 ms 62.183.0.180
2 140 ms 150 ms 140 ms 62.183.0.220
3 140 ms 140 ms 130 ms 217.106.16.52
4 200 ms 190 ms 191 ms aksai-bbn0-po2-2.rt-comm.ru
5 190 ms 211 ms 210 ms msk-bbn0-po1-3.rt-comm.ru
6 200 ms 190 ms 210 ms spb-bbn0-po8-1.rt-comm.ru
7 190 ms 180 ms 201 ms stockholm-bgw0-po0-3-0-0.rt-comm.ru
8 180 ms 191 ms 190 ms POS4-0.GW7.STK3.ALTER.NET
9 190 ms 191 ms 190 ms 146.188.5.33
10 190 ms 190 ms 200 ms 146.188.11.230
11 311 ms 310 ms 311 ms 146.188.5.197
12 291 ms 310 ms 301 ms so-0-0-0.IL1.DCA6.ALTER.NET
13 381 ms 370 ms 371 ms 152.63.1.137
14 371 ms 450 ms 451 ms 152.63.107.150
15 381 ms 451 ms 450 ms 152.63.107.105
16 370 ms 461 ms 451 ms 152.63.106.33
17 361 ms 380 ms 371 ms 157.130.180.186
18 370 ms 381 ms 441 ms 192.198.138.68
19 * * * Request timeout exceeded.
20 * * * The timeout period for the request has been exceeded.
Look: the trace goes to host 192.198.138.68 and then dies, indicating either a firewall or a rogue router. A little later we will show how you can penetrate it, but for now we will select another node for tracing, for example, www.zenon.ru
$traceroute -I www.zenon.ru
Trace route to distributed.zenon.net
with a maximum number of jumps of 30:
1 2444 ms 1632 ms 1642 ms 62.183.0.180
2 1923 ms 1632 ms 1823 ms 62.183.0.220
3 1632 ms 1603 ms 1852 ms 217.106.16.52
4 1693 ms 1532 ms 1302 ms aksai-bbn0-po2-2.rt-comm.ru
5 1642 ms 1603 ms 1642 ms 217.106.7.93
6 1562 ms 1853 ms 1762 ms msk-bgw1-ge0-3-0-0.rt-comm.ru
7 1462 ms 411 ms 180 ms mow-b1-pos1-2.telia.net
8 170 ms 180 ms 160 ms mow-b2-geth2-0.telia.net
9 160 ms 160 ms 170 ms 213.248.78.178
10 160 ms 151 ms 180 ms 62.113.112.67
11 181 ms 160 ms 170 ms css-rus2.zenon.net
Tracing is complete.
This time the tracing goes fine. It turns out that there is no firewall around zenon? It may very well be, but for a confident answer we need Additional Information. Host 195.2.91.193 belongs to a Class C network (the most significant three bits of the IP address are 110), and unless this network is protected by a firewall, most of its nodes should respond to ping, which is in this case and it happens. Scan reveals 65 open addresses. Therefore, either the router is not here, or it easily passes our ping.
If you wish, you can try to scan the ports, however, firstly, the presence of open ports does not mean anything (perhaps the firewall blocks only one port, but the most necessary one, for example, protects a leaky RPC from outside attacks), and, secondly, secondly, when scanning it will be difficult for a hacker to remain unnoticed. On the other hand, ports are scanned by everyone, and administrators have not been paying attention to this for a long time.
The nmap utility allows you to detect some of the firewalls by setting the port status to \"firewalled\". This happens whenever, in response to a SYN, the remote host returns an ICMP type 3 packet with code 13 (Admin Prohibited Filter) with a valid firewall IP address in the header (nmap does not display it; write your own scanner or, using any sniffer, do it yourself analyze the returned packet). If SYN/ACK returns, the scanned port is open. RST/ACK indicates a port that is closed or blocked by a firewall. Not all firewalls generate RST/ACK when trying to connect to blocked ports (Check Point Firewall does), some send an ICMP message, as shown above, or send nothing at all.
Most firewalls support remote control over the Internet by opening one or more TCP ports unique to each firewall. For example, Check Point Firewall opens ports 256, 257 and 258, and Microsoft Proxy opens 1080. Some firewalls explicitly communicate their name and version software product when connecting to them via netcat (or telnet), proxy servers are especially guilty of this. By sequentially polling all nodes located in front of the host under investigation for listening on ports characteristic of firewalls, in most cases we can not only detect their presence, but also determine the IP address! Of course, these ports can be closed both on the firewall itself (though not all firewalls allow this) and on the router preceding it (but then the firewall will not be manageable via the Internet).
Scan and trace through a firewall
Direct tracing through a firewall most often turns out to be impossible (what kind of administrator likes to reveal intimate details of the topology of their networks), and the attacker has to resort to all sorts of tricks.
The Firewalk utility is a classic tracer that sends TCP or UDP packets so that on the host immediately behind the firewall, their TTL becomes zero, causing the system to generate an ICMP_TIME_EXCEEDED message. Thanks to this, Firewalk works reliably even where regular means they can no longer cope, although, of course, it cannot penetrate a tightly protected firewall and the attacker has to use more advanced algorithms.
We will assume that with each IP packet sent, the system increases its ID by one (as this most often happens). On the other hand, according to the RFC-793 specification, which describes the TCP protocol, any host that receives an extraneous packet that is not related to the established TCP connections must respond to it with an RST. To implement the attack, we need a remote node that does not process this moment no extraneous traffic and generating a predictable ID sequence. In hacker circles, such a node is called a dumb node (dump). Detecting a dumb host is very simple - just send it a series of IP packets and analyze the ID returned in the headers. Let's remember (write it down on a piece of paper) ID last package. Then we select the victim and send it a SYN packet, indicating the IP of the silent node in the return address. The attacked host, thinking that the dumb host wants to establish a TCP connection with it, will respond: SYN/ACK. A dumb host, having caught an extraneous SYN/ACK, will return RST, increasing its ID counter by one. By sending another IP packet to the dumb host and analyzing the returned ID, we can find out whether the dumb host sent an RST packet to the victim or not. If sent, it means that the attacked host is active and confirms the establishment of a TCP connection to the specified port. If desired, a hacker can scan all the ports of interest to him without the risk of being noticed, because it is almost impossible to calculate his IP - scanning is carried out by the “hands” of a silent node and from the point of view of the attacked it looks like a regular SYN scan.
Let's assume that the dumb host is located inside a DMZ and the victim is inside a corporate network. Then, by sending a SYN packet to the silent host on behalf of the victim, we will be able to penetrate the firewall, since it will think that an internal host is connecting to it, and connections of this type are allowed in 99.9% of cases (if they are denied, corporate network users will not be able to work with their own public servers). Naturally, all routers on the path from the hacker to the dumb host must not block a packet with a spoofed return address, otherwise the packet will die long before it reaches its destination.
The hping utility implements this type of scanning script, which makes it the attacker’s main tool for exploring corporate networks protected by a firewall.
Alternatively, a hacker could take over one of the nodes located inside the DMZ, using them as a springboard for further attacks.
Firewall Penetration
Only the highest quality firewalls support the reassembly of fragmented TCP packets, while all others analyze only the first fragment, freely skipping all the rest. By sending a highly fragmented TCP packet, "spreading" the TCP header over several IP packets, the hacker will hide the Acknowledgment Number from the firewall and he will not be able to determine whether the TCP packet belongs to the corresponding TCP session (perhaps it belongs to a legitimate connection established by a corporate user). Unless the "cut fragmented packets" option is enabled on the firewall, the success of the hacking operation is guaranteed. Blocking fragmented packets creates many problems and prevents normal operation networks. Theoretically, it is possible to block only packets with a fragmented TCP header, but not every firewall supports such a flexible configuration policy. This type of attack, called Tiny Fragment Attack, has extremely powerful penetration and is therefore a favorite technique of all hackers.
Attacks using internal routing (also known as source routing) are much less relevant, but we will still consider them. As you know, the IP protocol allows you to include routing information in the packet. When sending an IP packet to a victim, the routing imposed by the hacker is most often ignored, and the trajectory of the packet is determined solely by intermediate routers, but response packets are returned along the opposite route specified in the IP header, which creates favorable conditions for its spoofing. A more simplified version of the attack is limited to just spoofing the sender's IP address. Properly configured routers (and most UNIX clones) block internally routed packets. Packets with spoofed IP addresses represent several big problem, however, a high-quality firewall can filter them out too.
Routing tables can be dynamically changed by sending an ICMP Redirect message, allowing at least, theoretically) to direct hacker traffic bypassing the firewall (see also ARP-spoofing), however, now such hopelessly secure systems are practically no longer found.
Escape from behind a firewall
Users of an internal network protected by an undemocratic firewall are seriously limited in their options. We have already talked about the impossibility of working with FTP servers in active mode. Some protocols may also be prohibited and the ports you need may be closed. In clinical cases, administrators maintain blacklists of IP addresses, blocking access to sites of “inappropriate” topics.
Since firewalls are designed to protect from the outside, and not from the inside, it is very easy to break out from behind their walls; you just need to use any suitable proxy server located on the external network and not yet blacklisted by the administrator. In particular, popular client ICQ allows you to exchange messages not directly, but through a server (not necessarily the server of the developer company). There are thousands of servers supporting ICQ work. Some have existed in a more or less unchanged form for several years, others dynamically appear and disappear. And if it’s still possible to put “long-livers” on the stop list, then the administrator is simply not able to keep track of one-day servers!
You can also use the SSH protocol ( Secure Shell), originally designed to work through a firewall and support traffic encryption (in case the firewall decides to look for \"forbidden\" words like \"sex\", \"hack\", etc.). The SSH protocol can work on any available port, for example, 80, and then from the point of view of the firewall everything will look like legal work with the WEB server. Meanwhile, SSH is only the foundation for other protocols, of which, first of all, I would like to mention telnet, which provides interaction with remote terminals. By paying about $20 for hosting to any provider, you will receive an account that supports SSH and allows you to establish connections with other network nodes ( free hosting this opportunity is most often deprived or severe restrictions are placed on it).
Finally, you can use cellular telephony, direct modem connections, and other communications tools that establish a connection to your provider, bypassing the firewall.
Conclusion
Technologies for building firewalls do not stand still, and specialists in information security don't sleep. Hacking is becoming more and more difficult every day, but hacking will never completely disappear. After all, plugged holes are replaced by others. The main thing is not to sit idly by, but to creatively experiment with firewalls, study standards and specifications, study disassembler listings and search, search, search...
A popular port scanner that allows you to detect some types of firewalls. Free. Source texts are available. On the website http://www.insecure.org/nmap sea technical information on the problem.
FireWalk
A utility for network tracing through a firewall, running on TCP/UDP protocols and based on TTL. Free. http://www.packetfactory.net/firewalk. Before use, it is recommended to read the documentation http://www.packetfactory.net/firewalk/firewalk-final.pdf.
HPING
A utility that implements scanning through a dumb host. A powerful weapon for exploring the internal network behind a firewall. Free and well documented. http://www.hping.org/papers.html.
SSH client
Secure Shell client used by internal network users to overcome firewall restrictions and restrictions. Free. Distributed with source code. http://www.openssh.com.
FFAQ
Detailed FAQ on firewalls in English. www.interhack.net/pubs/fwfaq/firewalls-faq.pdf. Its Russian translation, which is not particularly fresh, is at ln.com.ua/~openxs/articles/fwfaq.html.
Firewalls
Lecture notes on firewalls (in English) from Taiwanese professor Yeali S. Sun. http://www.im.ntu.edu.tw/~sunny/pdf/IS/Firewall.pdf
OpenNet
A huge portal on network security, including information about holes in popular firewalls (in Russian and English languages). http://www.opennet.ru
Firewalls are susceptible a large number DoS attacks, such as echo storm or SYN flood, which they are basically unable to resist.
A firewall is a router, proxy server and intrusion detection system rolled into one.
Firewalls do not protect against attacks, they only protect local network a brick fence that is easy to climb over.
In most cases, you can penetrate the brick wall of a firewall by wrapping the transmitted data in an ICMP header to penetrate an ICMP tunnel.
The firewall can be attacked not only from the outside, but also from inside the corporate network.
Different firewalls respond differently to non-standard TCP packets, allowing them to identify themselves.
Firewalls that open port 53 ( DNS service) not only at the receiver (for example, Check Point Firewall), but also at the source, allow a hacker to scan the entire internal network.
The vulnerability of software proxies is generally low, and they are mainly attacked through buffer overflow errors.
Some firewalls are susceptible to unauthorized file browsing on port 8010 and requests like http://www.host.com::8010/c:/ or http://www.host.com::8010//.
The DCOM service needs wide range open ports, which significantly reduces the degree of security of the system, making the use of a firewall meaningless.
4.13.2. Firewall Bypass
A firewall cannot provide absolute security because its operating algorithm is imperfect. In our world there is nothing flawless, one hundred percent reliable, otherwise life would be boring and uninteresting.
How does Firewall protect your computer or server? Everything is based on certain rules, according to which the screen checks everything passing through network interface traffic and makes a decision on the possibility of passing it. But there is no filter other than absolute prohibition that can ensure safety, and there is no rule that cannot be circumvented.
It is very easy to implement a DoS attack on most firewalls. When we looked at the technology for this attack ( see section 1.1.6), then they said that it can be easily organized in two cases:
1. The power of your channel is greater than that of the enemy.
2. There is a task on the server that requires a lot of computer resources, and there is an opportunity to complete it.
A firewall is a complex software system that requires significant technical capabilities to analyze all passing traffic, most of which is spent on packets with the syn flag set, i.e. to a connection request. The parameters of each such packet must be compared with all established rules.
At the same time, large resources and a powerful channel are not needed to send syn packets. A hacker can easily flood the allowed server port with sun packets in which the sender address is randomly substituted. The processor of the attacked machine may not be able to cope with the large flow of requests that need to be checked against filters, and a queue will build up that will not allow processing connections from respectable users.
The worst thing is if the firewall is configured to send error messages. In this case, the processor load increases due to the creation and sending of packets to addresses that do not exist or do not belong to the hacker.
If the client sends too much data that cannot be contained in one packet, then the information is split into several blocks. This process is called packet fragmentation. Most firewalls analyze only the first blocks in a session, and all the rest are considered correct. The logic of such control is clear: if the first packet is correct, then why check them all and waste precious server resources on it? Otherwise, the others will be of no use, because the connection is not established and the integrity of the information is compromised.
To ensure that the firewall allows the hacker's data to pass through, packets can be fragmented in a special way. You can protect yourself from such an attack only if the Firewall automatically reassembles fragmented packets and views them in assembled form. Most firewalls do not have this feature.
A firewall very often becomes the target of an attack, and it is not a fact that the attempt will not be successful. If an attacker manages to capture the Firewall, the network will become open in full view. In this case, only personal firewalls on each computer can save you from total defeat. In practice, the security policy on personal computer not so strict, but may be quite sufficient to prevent further penetration of the hacker into the network.
An attack on a firewall does not depend on its implementation. Errors occur both in the Linux OS and in routing devices with filtering capabilities.
The main task that a firewall solves is to deny access to obviously private resources. But there are open resources. For example, if it is necessary for the Web server to be accessible to Internet users, then the firewall will not be able to protect against hacking through errors in the scripts on the Web server.
Maximum security comes with some inconveniences. So, I already said that it is best to prohibit any attempts to connect from the outside. A connection can only be established at the initiative of a client on your network, but not remote computer. In this case, the hacker will be left behind, but network users may also have problems, for example, when trying to connect to an FTP server in active mode. We already know that this service runs on two ports: ftp and ftp-data (ftpd). The user connects to the server ftp port, and when you request to receive a file, the server itself initiates a connection with the client, and the firewall will not allow this. For the FTP service we solved this problem by adding the ability to work in passive mode, but in other programs (for example, in chats) the question remains open.
A hacker can establish a connection to a secure network through a tunnel on open port and with a valid address within the network. There is no escape from this, because at least something must be allowed.
Large companies may have several servers on the same network. I have only seen in a water company and in movies how administrators work behind several monitors and keyboards at the same time to manage each of them. IN real life Such specialists are too lazy, and monotonous work is tiring, so they sit at only one computer and use a remote connection to connect to the server.
In 1999, I wrote an article, "Firewall Is Not a Panacea," which discussed various shortcomings inherent in the technology used in firewalls (Firewalls). I hoped that domestic suppliers and, especially developers, would stop fooling customers by claiming that their firewall is a panacea for all ills, and it will solve all the customer’s problems, ensuring reliable protection of all resources of the corporate network. However, this did not happen, and I want to return to this topic again. Moreover, as my experience of lecturing on information security shows, this issue is of keen interest to specialists who already use firewalls in their organizations.
There are a number of problems that I would like to talk about and which can be illustrated with an example. A firewall is simply a fence around your network. It may be very tall or very thick so that you can climb over it or make a hole in it. But... this fence cannot detect when someone is digging a tunnel under it or trying to walk along a bridge thrown over the fence. The ITU simply restricts access to certain points outside your fence.
People make mistakes
As you know, firewalls, like other security measures, are configured by people. And people tend to make mistakes, even information security specialists. It is this fact that is used by many attackers. It is enough to find just one weakness in the firewall settings and that’s it, we can assume that “it’s your problem.” This is confirmed by various studies. For example, statistics collected in 1999 by the ICSA Association (http://www.icsa.net) show that up to 70% of all firewalls are vulnerable due to incorrect configuration and settings. I don’t want to talk about the incompetence or low qualifications of the ITU administrator (although these reasons are by no means rare) - I will describe another example. Immediately after college, I ended up in the automation department of a large company. Internet protection was provided by a firewall, which was controlled by the administrator of the information security department. More than once I had to deal with a situation where friends from other departments of the company approached this administrator and asked to temporarily allow them access to servers with toys. Once I witnessed a shocking incident. The head of the department for working with partners approached the ITU administrator and demanded to give him access to one of the Internet resources. In reply that this was impossible, the boss threatened to give the administrator a “happy life”, after which the latter had to follow the order and change the firewall settings. The most surprising thing is that the situation does not improve over time. We recently conducted a survey in one of the organizations and found exactly the same situation there. The firewall allowed access via the ICQ, RealAudio, etc. protocols. They began to find out - it turned out that this was done at the request of an employee of one of the departments, with whom the administrator had developed friendly relations.
"Normal heroes always take a detour"
A fragment of a song from the children's film "Aibolit-69" perfectly illustrates the following problem inherent in firewalls. Why try to access protected resources through security measures when you can try to bypass them? This can be illustrated with an example from a related field. On Wednesday, February 21, 1990, Mary Pierham, a budget analyst for an American company, came to work. However, she was unable to enter her workplace even after entering the four-digit code and speaking the code word into the access control system. Wanting to still get to work, Mary walked around the building and opened the back door using a nail file and a plastic comb. The newest security system that Mary Pierham bypassed was advertised as “failsafe and reliable” and cost tens of thousands of dollars. Similarly with firewalls, only the modem can serve as a backdoor. Do you know how many modems are installed on your network and what they are used for? Don't answer in the affirmative right away, think about it. While examining one network, the heads of the information security and automation department tore their shirts, claiming that they knew every single modem installed on their network. After running the Internet Scanner security analysis system, we did indeed find the modems they indicated were used to update the databases of the accounting and legal systems. However, two unknown modems were also discovered. One was used by an employee of the analytical department to gain access to working directories from home. The second modem was used to access the Internet, bypassing the firewall.