Re: Firewall question - how easy is it to get thru - Proof

[krymson () gmail com]

Summary: You're never really attacking the firewall directly itself, or beating it. You're going through or around it. 
This isn't an IPS that you can fragment through, spoof, or fool. Modern firewalls are often just allow or drop. The 
proper response to a demo of an attack is to first talk about firewalls (and patches), but there's obviously more to it 
than firewall==solution.


Long version:
I think it might be best to make some assumptions here. 

1- You have 3 different attacks you can send to a server using Metasploit.

2- One of those attacks hits IIS 5.0.

3- The other 2 attack the server, say using MS08-067 or something similar which uses port 445,135-139...

4- You put up a network firewall between yourself and the server that acts like a normal, properly configured firewall 
would. It allows ports 80/443 so the web server can do its business, and it blocks everything else.

In this situation, how long would it take you to bust through the firewall and take over the server?

For the IIS 5.0 attack, you'll still always be able to launch your attack and upload files. If the firewall blocks all 
outbound initiated connections *from* the web server back to you, you might be able to stop shell access of other 
callback methods. If your backdoor takes place from your system to the web server over 80/443, that will still be 
allowed.

For the other attacks, the firewall will always cause them to fail because it is just not letting you through those 
ports.

If there are exceptions, for instance say someone at home wants those ports open to them on their home IP address. You 
*could* spoof their IP address and do some damage. If you're somewhere else in the world, you could send inbound 
traffic, but you won't get anything back because the responses will go to the legit IP. But if you get right outside 
the firewall, you can grab the responses before they get out. In a lab or local network, this works nice to demonstrate 
spoofing issues, but in the real world of the Internet, attacks almost never are close enough to make such an attack a 
reality.

Of course, if you're close enough to the firewall (in a lab or the local network) you can do other things. The more 
time you have, the more interesting those options get...

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------