RE: Firewall question - how easy is it to get thru - Proof

["Mark Brunner" <kohi10 () rogers com>]

Phillipe,

Your question assumes that we understand the firewall's ruleset.  Firewalls
can only reject malicious or improperly formed packets, addresses, or
session states. It does this based on configurable rules.  Whatever the
rules are determines what gets in and what gets dropped.  New firewalls
integrate with Active Directory, web content filters, DLP and other
appliances to add greater controls.

In the real world, many attacks are making their way into businesses via SQL
injections. Drive-by web attacks and Fake A-V are other examples of firewall
bypass. These work because they appear to the firewall to be real, normal
traffic.  Firewalls need to be augmented, with things like Web-application
firewalls, enforced hardening, IPS/IDS/DLP, content filtering, extensive
patch and vulnerability management practices, access/privilege standards and
user education.

Example of SQL Injection:
Anonymous recently attacked HBGary and HBGary Federal, using SQL Injection
to get at a server.  Once inside, they compromised an email server.  They
took over key email identities, and used Social Engineering to get
passwords.  They got root, and did all kinds of mischief and mayhem.

Examples of DIRECT firewall attacks:
In 2010, a security researcher demonstrated a novel attack at the CanSecWest
security conference. He calls his technique the "Jedi Packet Trick". It
installs a VPN inside a firewall by hacking the firmware of the firewall's
networking interface cards.

Two researchers from the French Network and Information Security Agency
developed an attack that exploits a bug in a remote-management feature in
Broadcom's NetXtreme cards. Their attack installs a back door on a Linux
computer, though they claim that it could easily be modified to target any
operating system. 

There have been more recent vulnerabilities announced in many wired and
wireless firewalls and routers.  Check the CVE database at NIST or Mitre for
those.

If you want more proof of attacks, I suggest that YOU do your own research,
and start by Googling some of the terms above.  Just my 2¢.

Mark B.
Information Security Manager & Consultant 
Greater Toronto Area, Ontario Canada


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Rivest, Philippe
Sent: Tuesday, February 15, 2011 3:53 PM
Cc: security-basics () securityfocus com
Subject: RE: Firewall question - how easy is it to get thru - Proof

Hi,

I'D like to thank everyone for your very good answers. I'm however looking
for a proof of concept on how easy/quick it would be for a hacker/cracker to
bypass a firewall. Lets take a generic Checkpoint or what ever you want. I
know of a few ways to bypass layer 3 controls, such as web browsers and
applications issues. The outbound solution provided earlier is really true! 

But lets say they do all that. They have a single PC and a Firewall and an
Internet connexion.
How hard (proof) would it be to just attack the FW and get thru it? Without
any circumvention. Just plain "brute force" :P

I dont care too much about detection. I'm looking for the level of
difficulty & the time frame.

Any documents would be more than appreciated!

Thanks :P


 
Important: 
Please note that my new email address is privest () transforcecompany com
Please note that my new website address is http://www.transforcecompany.com

SVP Veuillez noter que ma nouvelle adresse courriel est
privest () transforcecompany com
SVP Veuillez noter que ma nouvelle adresse web est
http://www.transforcecompany.com
 
 

Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Vérificateur interne - Sécurité de l'information
Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232
   
6600 Saint-François
Saint-Laurent (Quebec) H4S 1B7
Tel.: 514-331-4417
Fax: 514-856-7541
www.transforcecompany.com
 
 
 
 
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Francois Yang
Sent: 15 février 2011 11:13
To: drmarkabaiter () gmail com
Cc: security-basics () securityfocus com
Subject: Re: Firewall question - how easy is it to get thru - Proof

Read up on browser exploit and how it can bypasses firewalls.
once an internal computer is compromised it can be used as a launching pad
to attack internal servers.
Do you have any web filtering systems? or ips/ids monitoring web access?
Is your network a flat lan where your users are on the same lan as your
critical servers?
how often are your servers and workstation updated?
etc.....there's more, but the browser exploit is a good example how a
firewall is not good enough now days.
Also what kind of FW do you have? a standard FW won't look at the
application layer so someone can send anything thru an open port.
hope this helps a little.

Frank

On Mon, Feb 14, 2011 at 8:53 AM, Rivest, Philippe
<PRivest () transforcecompany com> wrote:
> Quick question.
>
>
>
> When I do an audit and when I find a major flaw or deficiency, IT always
tells me "its because your in the internal LAN, we have a firewall
protecting us". I know you have all heard that. So I try to explain that you
could attack thru physical security, social engineering, virus and a lot of
other ways and in the end I always add "Someone more "expert" in Firewall
could bypass it".
> I don't really need a "how-to" but I'm looking for proof and a time frame
on how long it normally takes for a real hacker/cracker to attack and bypass
(where possible) a Firewall control (IPS/IDS also!).
> I know this is not a click-click your done type of job, but I know its
possible.
> Thanks for any links or advice!
>
>
>
>
>
> Important:
> Please note that my new email address is privest () transforcecompany com 
> Please note that my new website address is 
> http://www.transforcecompany.com
>
> SVP Veuillez noter que ma nouvelle adresse courriel est 
> privest () transforcecompany com SVP Veuillez noter que ma nouvelle 
> adresse web est http://www.transforcecompany.com
>
>
>
> Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+ TransForce 
> Inc.
> Internal auditor - Information security Vérificateur interne - 
> Sécurité de l'information
> Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232
>
> 6600 Saint-François
> Saint-Laurent (Quebec) H4S 1B7
> Tel.: 514-331-4417
>
> Fax: 514-856-7541
> www.transforcecompany.com
>
>
>
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------