T. Lopatic, J. McDonald, D.

Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 1

A Stateful Inspection of
FireWall-1
Thomas Lopatic, John McDonald
TV data protect GmbH
[email protected], [email protected]
Dug Song
CITI at the University of Michigan
[email protected]
data protect
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 2
Overview
Architecture of FireWall-1
Attacking the firewalls state I
FWZ encapsulation
Attacking the firewalls state II
Attacking authentication between firewall modules
Hardening FireWall-1
The big picture
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 3
Topology
Solaris
172.16.0.2
172.16.0.1
194.221.6.159
Windows NT
194.221.6.149
192.168.0.1
OpenBSD
192.168.0.3
Nokia IP-440
Linux
192.168.0.2
Hub
Victim network Hostile network
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 4
Problems in Inspection
Unreliable / unauthenticated input
Layering restrictions on inspection
Layering violations in inspection
Ambiguous end-to-end semantics
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 5
Example: Airport Security
Unreliable / unauthenticated input
Examining baggage tags
Layering restrictions on inspection
Examining shape, size, weight
Layering violations in inspection
Parallelizing bag content inspection
Ambiguous end-to-end semantics
Checking for known contraband
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 6
Classification of the Attacks
Unreliable / unauthenticated input
TCP fastmode
Layering restrictions on inspection
FWZ VPN encapsulation
Layering violations in inspection
FTP data connection handling
unidirectional TCP data flow
RSH error connection handling
Ambiguous end-to-end semantics
Parsing of FTP PORT commands
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 7
FireWall-1 Modules
Management
module
GUI
Filter
module
Filter
module
Filter
module
Port 256/TCP
Security policy, status, logs
Port 258/TCP
Authentication methods
S/Key, FWN1, FWA1
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 8
Inter-Module Protocol
Version
Version
IP addresses
IP addresses
Command
Required authentication
Management
module
Filter
module
Authentication
Arguments, Result
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 9
S/Key Authentication
Hash
n
(x) = Hash(Hash(... Hash(x))) = Hash(Hash
n-1
(x))
n times
Seed x
(password hash)
Hash
100
(x)
Index = 99
Hash
99
(x)
Index = 1
Hash
1
(x)
...
Calculate seed y, Hash
100
(y)
y = MakeSeed(time(NULL))
Attack: brute force
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 10
FWN1 Authentication
Random number R
1
S
1
= Hash(R
1
+ K)
Random number R
2
S
2
= Hash(R
2
+ K)
Shared key K (fw putkey)
Attack: choose R
2
= R
1
, so that S
2
= S
1
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 11
FWA1 Authentication
Random number R
1
S
1
= Hash(R
1
+ K)
Random number R
2
S
2
= Hash((R
1
^ R
2
) + K)
Shared key K (fw putkey)
Attack: choose R
2
= 0, so that
R
1
^ R
2
= R
1
and
S
2
= Hash((R
1
^ R
2
) + K) = Hash(R
1
+ K) = S
1
To be solved: encryption
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 12
Stateful Inspection I
virtual
defrag
pre-inspection
connections
chain of fragments
ACCEPT
virtual machine
ACCEPT REJECT
connections
pending
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 13
Stateful Inspection II
UDP replies accepted
C
C any
internal
client
external
server
accepted UDP packet
S
UDP connections
from a client, port C
to a server, port S + wildcard port
<s-address, s-port, d-address, d-port, protocol>
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 14
Stateful Inspection III
PORT 192,168,0,2,4,36
data connection
21
20 1060
PASV
21
1060
> 1023
> 1023
> 1023
227 ... (172,16,0,2,4,36)
FTP server
172.16.0.2
FTP server
172.16.0.2
FTP client
192.168.0.2
FTP client
192.168.0.2
data connection
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 15
Fastmode Services
non-SYN packets accepted
Source port = fastmode service
Destination port = fastmode service
Stealth scanning (FINs, ...)
172.16.0.x
Internet
non-SYNs non-SYNs
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 16
FTP PORT Parsing
PORT 172,16,0,258,p1,p2
172.16.0.2 192.168.0.2
PORT 172,16,1349632,2,p1,p2
1349632 =
65536 * (192 - 172) + 256 * (168 - 16)
172.16.1.2
172.16.0.2
data connection
Application: bounce attack
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 17
FTP PASV Handling
XXXXXXXXXXXXXX227 (172,16,0,2,128,7)
172.16.0.2
500 Invalid command giv
227 (172,16,0,2,128,7) 192.168.0.2
Advertise small Maximal Segment Size
Server replies split
en: XXXXXXXXXXXXXX
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 18
One-way Connections I
TCP
header
TCP
payload
TCP header
+ payload
ACCEPT
DROP
Intranet
established one-way connection
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 19
One-way Connections II
172.16.0.2 192.168.0.2
open one-way connection
datagram A
datagram B
open one-way connection
retransmission of B
[...]
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 20
FWZ Encapsulation I
modified
IP header
IP payload
encapsulation
info (obfuscated)
+
1. original d-address, original protocol
2. d-address = firewall, protocol = 94
VPN tunneling protocol
Decapsulation without decryption or authentication
Cannot be disabled
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 21
FWZ Encapsulation II
Key to spoofing attacks
10.x.x.x
131.159.1.1
s-addr = 10.0.0.1
d-addr = 194.221.6.19
d-addr = 131.159.1.1
194.221.6.19
IP header
encapsulation info
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 22
Fake PORT Commands
FTP client
172.16.0.2
192.168.0.2
s-addr = 172.16.0.2
d-addr = 192.168.0.1
d-addr = 192.168.0.2
IP header
encapsulation info
PORT
172,16,0,2,128,7
TCP header + payload
fake PORT packet
192.168.0.1
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 23
RSH Error Connections I
error port is 1025
error connection
514
< 1024 1025
1024
RSH server
192.168.0.2
RSH client
172.16.0.2
<172.16.0.2, 1024, 192.168.0.2, 514, 6> in connections
<172.16.0.2, 1025, 192.168.0.2, magic, 6> in pending
Reversed matching
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 24
RSH Error Connections II
s-addr:s-port
d-addr:magic
seq + 1
172.16.0.2:1024
192.168.0.2:magic
250001
s-addr:error-port
d-addr:magic
protocol
172.16.0.2:1025
192.168.0.2:magic
6 (TCP)
s-addr:s-port
d-addr:magic
seq + 1
172.16.0.2:32775
192.168.0.2:magic
6 = seq + 1 = TCP
seq = 5
SYN
packet #2
(port info)
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 25
Fake UDP Requests
DNS client
172.16.0.2
192.168.0.2
s-addr = 172.16.0.2
d-addr = 192.168.0.1
d-addr = 192.168.0.2
IP header
encapsulation info
s-port = 161
d-port = 53
UDP header
fake DNS request
192.168.0.1
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 26
FWZ Encapsulation III
Key to non-routable addresses
10.x.x.x
131.159.1.1
s-addr = 131.159.1.1
d-addr = 194.221.6.19
d-addr = 10.0.0.1
194.221.6.19
IP header
encapsulation info
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 27
Anti-Spoofing Protection I
192.168.0.2
s-addr = 192.168.0.2
d-addr = 192.168.0.1
s-port = any
d-port = 161
1. fake DNS request
2. tunnel to firewall
192.168.0.1
2.
s-addr = 192.168.0.1
d-addr = 192.168.0.1
s-port = 161
d-port = 53
1.
d-addr = 192.168.0.2
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 28
Anti-Spoofing Protection II
192.168.0.2
s-addr = 192.168.0.2
d-addr = 192.168.0.1
d-addr = 224.0.0.1
s-port = 53
d-port = 161
1. fake DNS request
2. tunnel to firewall
192.168.0.1
2.
s-addr = 224.0.0.1
d-addr = 192.168.0.1
s-port = 161
d-port = 53
1.
d-addr = 192.168.0.2
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 29
Hardening I
Disable implicit rules
DNS
control connections
ICMP
Restrictive access rules
no any sources or destinations
deny broadcast / multicast addresses
minimal privilege
Properly configure anti-spoofing mechanism
Filter protocol 94 (e.g. IP Filter)
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 30
Hardening II
Different (virtual) IP addresses for public services
Restrict control connections
FWA1 authentication
VPN technology
never use 127.0.0.1: */none
More than one line of defense!
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 31
Fixes by Check Point
Solutions by Check Point available today at
http://www.checkpoint.com/techsupport
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings 2000 32
Thanks.
Thomas Lopatic
[email protected]
John McDonald
[email protected]
Dug Song
[email protected]