SlideShare a Scribd company logo

Stateful Inspection of FireWall-1

Dug Song
Dug Song

Slides from our Blackhat 2000 talk

Technology
1 of 29
Download to read offline
A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TÜV data protect GmbH data protect tl@dataprotect.com, jm@dataprotect.com Dug Song CITI at the University of Michigan dugsong@umich.edu T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 1
Overview • Architecture of FireWall-1 • Attacking the firewall’s state I • FWZ encapsulation • Attacking the firewall’s state II • Attacking authentication between firewall modules • Hardening FireWall-1 • The big picture T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 2
Stateful Inspection I virtual chain of fragments defrag ACCEPT pre-inspection “connections” “connections” virtual machine “pending” ACCEPT REJECT T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 3
Stateful Inspection II accepted UDP packet C S C any UDP replies accepted internal external client server • UDP “connections” • from a client, port C • to a server, port S + wildcard port • <s-address, s-port, d-address, d-port, protocol> T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 4
Stateful Inspection III “PORT 192,168,0,2,4,36” 21 > 1023 20 1060 data connection FTP server FTP client 172.16.0.2 192.168.0.2 “PASV” 21 > 1023 “227 ... (172,16,0,2,4,36)” 1060 > 1023 FTP server data connection FTP client 172.16.0.2 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 5
Topology Windows NT 194.221.6.149 194.221.6.159 Hub 172.16.0.1 192.168.0.1 Solaris Linux 172.16.0.2 192.168.0.2 Nokia IP-440 OpenBSD 192.168.0.3 Victim network Hostile network T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 6
Fastmode Services non-SYNs non-SYNs 172.16.0.x Internet • non-SYN packets accepted • Source port = fastmode service • Destination port = fastmode service • Stealth scanning (FINs, ...) T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 7
FTP “PORT” Parsing “PORT 172,16,0,258,p1,p2” 172.16.0.2 172.16.1.2 data connection Application: bounce attack “PORT 172,16,1349632,2,p1,p2” 1349632 = 65536 * (192 - 172) + 256 * (168 - 16) 172.16.0.2 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 8
FTP “PASV” Handling “XXXXXXXXXXXXXX227 (172,16,0,2,128,7)” 500 Invalid command giv en: XXXXXXXXXXXXXX 172.16.0.2 227 (172,16,0,2,128,7) 192.168.0.2 • Advertise small Maximal Segment Size • Server replies split T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 9
One-way Connections I TCP header + payload DROP Intranet ACCEPT TCP TCP header payload established one-way connection T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 10
One-way Connections II open one-way connection datagram A datagram B 172.16.0.2 open one-way connection 192.168.0.2 retransmission of B [...] T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 11
FWZ Encapsulation I 2. d-address = firewall, protocol = 94 1. original d-address, original protocol + modified IP payload encapsulation IP header info (obfuscated) • VPN tunneling protocol • Decapsulation without decryption or authentication • Cannot be disabled T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 12
FWZ Encapsulation II s-addr = 10.0.0.1 d-addr = 194.221.6.19 IP header d-addr = 131.159.1.1 encapsulation info 10.x.x.x 194.221.6.19 131.159.1.1 Key to spoofing attacks T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 13
Fake “PORT” Commands s-addr = 172.16.0.2 IP header d-addr = 192.168.0.1 “PORT TCP header + payload 172,16,0,2,128,7” d-addr = 192.168.0.2 encapsulation info fake “PORT” packet FTP client 192.168.0.1 192.168.0.2 172.16.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 14
RSH Error Connections I “error port is 1025” 1024 514 1025 < 1024 error connection RSH client RSH server 172.16.0.2 192.168.0.2 • <172.16.0.2, 1024, 192.168.0.2, 514, 6> in “connections” • <172.16.0.2, 1025, 192.168.0.2, magic, 6> in “pending” • Reversed matching T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 15
RSH Error Connections II • s-addr:s-port • s-addr:s-port • d-addr:magic • d-addr:magic • seq + 1 • seq + 1 SYN • 172.16.0.2:1024 • 192.168.0.2:magic • 250001 seq = 5 • s-addr:error-port • d-addr:magic • protocol packet #2 (port info) • 172.16.0.2:1025 • 172.16.0.2:32775 • 192.168.0.2:magic • 192.168.0.2:magic • 6 (TCP) • 6 = seq + 1 = TCP T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 16
Fake UDP Requests s-addr = 172.16.0.2 IP header d-addr = 192.168.0.1 s-port = 161 UDP header d-port = 53 d-addr = 192.168.0.2 encapsulation info fake DNS request DNS client 192.168.0.1 192.168.0.2 172.16.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 17
FWZ Encapsulation III s-addr = 131.159.1.1 d-addr = 194.221.6.19 IP header d-addr = 10.0.0.1 encapsulation info 10.x.x.x 194.221.6.19 131.159.1.1 Key to non-routable addresses T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 18
Anti-Spoofing Protection I 1. s-addr = 192.168.0.1 2. s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 s-port = any d-port = 53 d-port = 161 d-addr = 192.168.0.2 1. fake DNS request 2. tunnel to firewall 192.168.0.1 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 19
Anti-Spoofing Protection II 1. s-addr = 224.0.0.1 2. s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 s-port = 53 d-port = 53 d-port = 161 d-addr = 192.168.0.2 d-addr = 224.0.0.1 1. fake DNS request 2. tunnel to firewall 192.168.0.1 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 20
FireWall-1 Modules Port 258/TCP Management GUI module Port 256/TCP Authentication methods Security policy, status, logs S/Key, FWN1, FWA1 Filter Filter Filter module module module T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 21
Inter-Module Protocol Version Version Command IP addresses IP addresses Management Required authentication Filter module module Authentication Arguments, Result T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 22
S/Key Authentication Hashn(x) = Hash(Hash(... Hash(x))) = Hash(Hashn- 1(x)) n times Index = 99 Hash99(x) ... Index = 1 Hash1(x) Seed x (password hash) Calculate seed y, Hash100(y) Hash100(x) • “y = MakeSeed(time(NULL))” • Attack: brute force T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 23
FWN1 Authentication Random number R1 S1 = Hash(R1 + K) Random number R2 S2 = Hash(R2 + K) • Shared key K (“fw putkey”) • Attack: choose R2 = R1, so that S2 = S1 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 24
FWA1 Authentication Random number R1 S1 = Hash(R1 + K) Random number R2 S2 = Hash((R1 ^ R2) + K) • Shared key K (“fw putkey”) • Attack: choose R2 = 0, so that • R1 ^ R2 = R1 and • S2 = Hash((R1 ^ R2) + K) = Hash(R1 + K) = S1 • To be solved: encryption T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 25
Hardening I • Disable implicit rules • DNS • control connections • ICMP • Restrictive access rules • no “any” sources or destinations • deny broadcast / multicast addresses • “minimal privilege” • Properly configure anti-spoofing mechanism • Filter protocol 94 (e.g. IP Filter) T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 26
Hardening II • Different (virtual) IP addresses for public services • Restrict control connections • FWA1 authentication • VPN technology • More than one line of defense! T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 27
Fixes by Check Point Solutions by Check Point available today at http://www.checkpoint.com/techsupport T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 28
Thanks. Thomas Lopatic John McDonald Dug Song tl@dataprotect.com jm@dataprotect.com dugsong@umich.edu T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 29

Recommended

Open-E DSS Synchronous Volume Replication over a WAN
Open-E DSS Synchronous Volume Replication over a WANOpen-E DSS Synchronous Volume Replication over a WAN
Open-E DSS Synchronous Volume Replication over a WANopen-e
 
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...open-e
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless NetworkDug Song
 
Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Dug Song
 
Startups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessStartups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessDug Song
 
From the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityFrom the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityDug Song
 
A Hacker's Life
A Hacker's LifeA Hacker's Life
A Hacker's LifeDug Song
 

Recommended

Open-E DSS Synchronous Volume Replication over a WAN
Open-E DSS Synchronous Volume Replication over a WANOpen-E DSS Synchronous Volume Replication over a WAN
Open-E DSS Synchronous Volume Replication over a WANopen-e
 
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...
Step-by-Step Guide to NAS (NFS) Failover over a LAN (with unicast) Supported ...open-e
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless NetworkDug Song
 
Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Dug Song
 
Startups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessStartups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessDug Song
 
From the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityFrom the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityDug Song
 
A Hacker's Life
A Hacker's LifeA Hacker's Life
A Hacker's LifeDug Song
 
The Balanced Engineer
The Balanced EngineerThe Balanced Engineer
The Balanced EngineerDug Song
 
Letter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnLetter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnDug Song
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteDug Song
 
Entrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborEntrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborDug Song
 
Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Dug Song
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
Silver Needle in the Skype
Silver Needle in the SkypeSilver Needle in the Skype
Silver Needle in the SkypeDug Song
 
Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Dug Song
 
Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Dug Song
 
SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)Dug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)Dug Song
 
Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Dug Song
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

More Related Content

More from Dug Song

The Balanced Engineer
The Balanced EngineerThe Balanced Engineer
The Balanced EngineerDug Song
 
Letter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnLetter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnDug Song
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteDug Song
 
Entrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborEntrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborDug Song
 
Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Dug Song
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
Silver Needle in the Skype
Silver Needle in the SkypeSilver Needle in the Skype
Silver Needle in the SkypeDug Song
 
Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Dug Song
 
Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Dug Song
 
SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)Dug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)Dug Song
 
Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Dug Song
 

More from Dug Song (14)

The Balanced Engineer
The Balanced EngineerThe Balanced Engineer
The Balanced Engineer
 
Letter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnLetter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence Inn
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test Suite
 
Entrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborEntrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann Arbor
 
Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
Silver Needle in the Skype
Silver Needle in the SkypeSilver Needle in the Skype
Silver Needle in the Skype
 
Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)
 
Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)
 
SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm Activity
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm Activity
 
A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)
 
Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Stateful Inspection of FireWall-1

  • 1. A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TÜV data protect GmbH data protect tl@dataprotect.com, jm@dataprotect.com Dug Song CITI at the University of Michigan dugsong@umich.edu T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 1
  • 2. Overview • Architecture of FireWall-1 • Attacking the firewall’s state I • FWZ encapsulation • Attacking the firewall’s state II • Attacking authentication between firewall modules • Hardening FireWall-1 • The big picture T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 2
  • 3. Stateful Inspection I virtual chain of fragments defrag ACCEPT pre-inspection “connections” “connections” virtual machine “pending” ACCEPT REJECT T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 3
  • 4. Stateful Inspection II accepted UDP packet C S C any UDP replies accepted internal external client server • UDP “connections” • from a client, port C • to a server, port S + wildcard port • <s-address, s-port, d-address, d-port, protocol> T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 4
  • 5. Stateful Inspection III “PORT 192,168,0,2,4,36” 21 > 1023 20 1060 data connection FTP server FTP client 172.16.0.2 192.168.0.2 “PASV” 21 > 1023 “227 ... (172,16,0,2,4,36)” 1060 > 1023 FTP server data connection FTP client 172.16.0.2 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 5
  • 6. Topology Windows NT 194.221.6.149 194.221.6.159 Hub 172.16.0.1 192.168.0.1 Solaris Linux 172.16.0.2 192.168.0.2 Nokia IP-440 OpenBSD 192.168.0.3 Victim network Hostile network T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 6
  • 7. Fastmode Services non-SYNs non-SYNs 172.16.0.x Internet • non-SYN packets accepted • Source port = fastmode service • Destination port = fastmode service • Stealth scanning (FINs, ...) T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 7
  • 8. FTP “PORT” Parsing “PORT 172,16,0,258,p1,p2” 172.16.0.2 172.16.1.2 data connection Application: bounce attack “PORT 172,16,1349632,2,p1,p2” 1349632 = 65536 * (192 - 172) + 256 * (168 - 16) 172.16.0.2 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 8
  • 9. FTP “PASV” Handling “XXXXXXXXXXXXXX227 (172,16,0,2,128,7)” 500 Invalid command giv en: XXXXXXXXXXXXXX 172.16.0.2 227 (172,16,0,2,128,7) 192.168.0.2 • Advertise small Maximal Segment Size • Server replies split T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 9
  • 10. One-way Connections I TCP header + payload DROP Intranet ACCEPT TCP TCP header payload established one-way connection T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 10
  • 11. One-way Connections II open one-way connection datagram A datagram B 172.16.0.2 open one-way connection 192.168.0.2 retransmission of B [...] T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 11
  • 12. FWZ Encapsulation I 2. d-address = firewall, protocol = 94 1. original d-address, original protocol + modified IP payload encapsulation IP header info (obfuscated) • VPN tunneling protocol • Decapsulation without decryption or authentication • Cannot be disabled T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 12
  • 13. FWZ Encapsulation II s-addr = 10.0.0.1 d-addr = 194.221.6.19 IP header d-addr = 131.159.1.1 encapsulation info 10.x.x.x 194.221.6.19 131.159.1.1 Key to spoofing attacks T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 13
  • 14. Fake “PORT” Commands s-addr = 172.16.0.2 IP header d-addr = 192.168.0.1 “PORT TCP header + payload 172,16,0,2,128,7” d-addr = 192.168.0.2 encapsulation info fake “PORT” packet FTP client 192.168.0.1 192.168.0.2 172.16.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 14
  • 15. RSH Error Connections I “error port is 1025” 1024 514 1025 < 1024 error connection RSH client RSH server 172.16.0.2 192.168.0.2 • <172.16.0.2, 1024, 192.168.0.2, 514, 6> in “connections” • <172.16.0.2, 1025, 192.168.0.2, magic, 6> in “pending” • Reversed matching T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 15
  • 16. RSH Error Connections II • s-addr:s-port • s-addr:s-port • d-addr:magic • d-addr:magic • seq + 1 • seq + 1 SYN • 172.16.0.2:1024 • 192.168.0.2:magic • 250001 seq = 5 • s-addr:error-port • d-addr:magic • protocol packet #2 (port info) • 172.16.0.2:1025 • 172.16.0.2:32775 • 192.168.0.2:magic • 192.168.0.2:magic • 6 (TCP) • 6 = seq + 1 = TCP T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 16
  • 17. Fake UDP Requests s-addr = 172.16.0.2 IP header d-addr = 192.168.0.1 s-port = 161 UDP header d-port = 53 d-addr = 192.168.0.2 encapsulation info fake DNS request DNS client 192.168.0.1 192.168.0.2 172.16.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 17
  • 18. FWZ Encapsulation III s-addr = 131.159.1.1 d-addr = 194.221.6.19 IP header d-addr = 10.0.0.1 encapsulation info 10.x.x.x 194.221.6.19 131.159.1.1 Key to non-routable addresses T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 18
  • 19. Anti-Spoofing Protection I 1. s-addr = 192.168.0.1 2. s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 s-port = any d-port = 53 d-port = 161 d-addr = 192.168.0.2 1. fake DNS request 2. tunnel to firewall 192.168.0.1 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 19
  • 20. Anti-Spoofing Protection II 1. s-addr = 224.0.0.1 2. s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 s-port = 53 d-port = 53 d-port = 161 d-addr = 192.168.0.2 d-addr = 224.0.0.1 1. fake DNS request 2. tunnel to firewall 192.168.0.1 192.168.0.2 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 20
  • 21. FireWall-1 Modules Port 258/TCP Management GUI module Port 256/TCP Authentication methods Security policy, status, logs S/Key, FWN1, FWA1 Filter Filter Filter module module module T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 21
  • 22. Inter-Module Protocol Version Version Command IP addresses IP addresses Management Required authentication Filter module module Authentication Arguments, Result T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 22
  • 23. S/Key Authentication Hashn(x) = Hash(Hash(... Hash(x))) = Hash(Hashn- 1(x)) n times Index = 99 Hash99(x) ... Index = 1 Hash1(x) Seed x (password hash) Calculate seed y, Hash100(y) Hash100(x) • “y = MakeSeed(time(NULL))” • Attack: brute force T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 23
  • 24. FWN1 Authentication Random number R1 S1 = Hash(R1 + K) Random number R2 S2 = Hash(R2 + K) • Shared key K (“fw putkey”) • Attack: choose R2 = R1, so that S2 = S1 T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 24
  • 25. FWA1 Authentication Random number R1 S1 = Hash(R1 + K) Random number R2 S2 = Hash((R1 ^ R2) + K) • Shared key K (“fw putkey”) • Attack: choose R2 = 0, so that • R1 ^ R2 = R1 and • S2 = Hash((R1 ^ R2) + K) = Hash(R1 + K) = S1 • To be solved: encryption T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 25
  • 26. Hardening I • Disable implicit rules • DNS • control connections • ICMP • Restrictive access rules • no “any” sources or destinations • deny broadcast / multicast addresses • “minimal privilege” • Properly configure anti-spoofing mechanism • Filter protocol 94 (e.g. IP Filter) T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 26
  • 27. Hardening II • Different (virtual) IP addresses for public services • Restrict control connections • FWA1 authentication • VPN technology • More than one line of defense! T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 27
  • 28. Fixes by Check Point Solutions by Check Point available today at http://www.checkpoint.com/techsupport T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 28
  • 29. Thanks. Thomas Lopatic John McDonald Dug Song tl@dataprotect.com jm@dataprotect.com dugsong@umich.edu T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 29