Security Basics mailing list archives
RE: RE: Firewall question - how easy is it to get thru - Proof
From: Shane Anglin <shane.anglin () gmail com>
Date: Thu, 17 Feb 2011 12:15:42 -0500
Since web apps were mentioned... If one is concerned with outsiders sending malicious traffic (e.g. SQL injections, buffer overflows, etc) to your internal web applications, WAF (Web application firewalls) are a piece of the puzzle to add in behind the Internet firewall before the traffic reaches the internal app/web server (ignoring talk of DMZs and reverse proxies for now). They check for lots of attack vectors (SQL injection, etc)... example = Imperva, Barracuda, etc WAFs. Be aware that the WAF (or any traffic inspection device) needs to be able to read the data, so for simple SSL web server setups, the WAF would need the private keys of the internal web server loaded so it can use the private key to decrypt the traffic (not best practice to throw your private keys into the DMZ, by the way, but it may be your only option depending n overall design)... assuming no load balancers in front of the web servers or WAF (which most could terminate SSL at the layer before the WAF and pass the initial HTTPS traffic back as HTTP to the internal web server)… all this depends on what network design and equipment you have, how it is cabled, routed and ACL'ed, and what regulatory compliance you fall under for those network segments... lots of factors to consider for your own implementation. Maybe a bit clearer example: To inspect SSL traffic bound for internal web server(s), you would need to either terminate the inbound SSL on some device (firewall, loadbalancer, etc), then transport it over 80 (plain text) to the internal web server(s). At some point after the traffic leaves the device that is sending it as HTTP/plaintext, you could insert a WAF there with no need for exposing your private keys to a DMZ device. Placing the WAF inline is the most secure (but adds an operational concern)… placing it view port mirror/span should be your second choice, although some SYN attacks can be propagated before a port-mirrored WAF can perform a TCP reset and so on. Here's a logical flow placing the WAF inline behind the DMZ_LoadBalancer... (again, location is dependent on your setup and requirements)... WebClientBrowser --HTTPS--> InternetFirewall --HTTP-->
***INLINE--WebAppFW--INLINE***> DMZ_LoadBalancer --HTTP-->
DMZ_Reverse_Proxy --HTTP--> DMZ_Firewall --HTTP--> InternalLANWebServer <--SQLQuery--> InternalLANAppServer <--> InternalLANDatabaseserver Regards, Shane Anglin ________________________________________ From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of vedantamsekhar () gmail com Sent: Wednesday, February 16, 2011 10:37 AM To: drmarkabaiter () gmail com; Francois Yang Cc: security-basics () securityfocus com Subject: RE: Firewall question - how easy is it to get thru - Proof If you are talking abt network firewalls, they can lookup the packet upto Layer 3 but cant protect application level attacks. Offcourse some firewalls like checkpoint has smartdefense concept which they claim, they can protect againest application level attacks but it is very limited. Application level attacks like remote code execution, sql injection,bufferoverflows,url open redirects and many more cant be protected by network firewalls. How easy...is really varies between application to application. some coders are lazy enough that, for one of the application i could even shutdown the back end database. But if you are asking abt bypassing firewalls to access vulnerable services of internal servers, i think we need to work hard....its not so easy.. Hope it may helped u... Thanks, Sekhar Sent from my Nokia phone -----Original Message----- From: Francois Yang Sent: 15/02/2011 9:43:07 pm To: drmarkabaiter () gmail com Cc: security-basics () securityfocus com Subject: Re: Firewall question - how easy is it to get thru - Proof Read up on browser exploit and how it can bypasses firewalls. once an internal computer is compromised it can be used as a launching pad to attack internal servers. Do you have any web filtering systems? or ips/ids monitoring web access? Is your network a flat lan where your users are on the same lan as your critical servers? how often are your servers and workstation updated? etc.....there's more, but the browser exploit is a good example how a firewall is not good enough now days. Also what kind of FW do you have? a standard FW won't look at the application layer so someone can send anything thru an open port. hope this helps a little. Frank On Mon, Feb 14, 2011 at 8:53 AM, Rivest, Philippe <PRivest () transforcecompany com> wrote:
Quick question. When I do an audit and when I find a major flaw or deficiency, IT always tells me "its because your in the internal LAN, we have a firewall protecting us". I know you have all heard that. So I try to explain that you could attack thru physical security, social engineering, virus and a lot of other ways and in the end I always add "Someone more "expert" in Firewall could bypass it". I don't really need a "how-to" but I'm looking for proof and a time frame on how long it normally takes for a real hacker/cracker to attack and bypass (where possible) a Firewall control (IPS/IDS also!). I know this is not a click-click your done type of job, but I know its possible. Thanks for any links or advice! Important: Please note that my new email address is privest () transforcecompany com Please note that my new website address is http://www.transforcecompany.com SVP Veuillez noter que ma nouvelle adresse courriel est privest () transforcecompany com SVP Veuillez noter que ma nouvelle adresse web est http://www.transforcecompany.com Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Vérificateur interne - Sécurité de l'information Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232 6600 Saint-François Saint-Laurent (Quebec) H4S 1B7 Tel.: 514-331-4417 Fax: 514-856-7541 www.transforcecompany.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ Shane Anglin Shane.Anglin () gmail com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Firewall question - how easy is it to get thru - Proof vedantamsekhar () gmail com (Feb 17)
- <Possible follow-ups>
- RE: Re: Firewall question - how easy is it to get thru - Proof Shane Anglin (Feb 17)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)
- RE: Re: Firewall question - how easy is it to get thru - Proof Omar Salvador Alcalá Ruiz (Feb 18)
- Re: Re: Firewall question - how easy is it to get thru - Proof John Morrison (Feb 18)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 18)
- Re: Re: Firewall question - how easy is it to get thru - Proof John Morrison (Feb 18)
- Windows Authentication Robert . Yung (Feb 22)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)