Hakin9 - Hard Core IT Security Magazine

Access:

» Detouring network firewalls

Related categories: Networks | Security | Networks | Firewalls

Oliver Karow
Viewed: 15200 | Article date: 2006-03-10 16:29:32

Firewalls also have their weaknesses and detouring them, both due to misconfiguration and due to product weaknesses, is possible. Oliver describe how an intruder can gain access to a system by detouring a firewall.

About the author

Oliver Karow works as an Principal Security Consultant for a security vendor. He is currently focused on firewalls, IDS/IPS technology, security audits and penetration testing. Oliver is also currently studying Information Technology at a German distance university. He works in IT since 1994, and from 1999 onwards is focused on IT security.

A firewall is often thought to completely protect networks against most unauthorised access. However, firewalls also have their weaknesses and detouring them, both due to misconfiguration and due to product weaknesses, is possible. Let's have a look at how an intruder can gain access to a system by detouring a firewall.

Protecting a network against attacks and unmeant access from untrusted networks like the Internet is one of the most important requirements of today's IT-infrastructures. This is the area, where firewalls are coming into operation. The primary job of a firewall is to separate networks, and to decide if packets are allowed to pass from one network to the other. There are several different firewall types, having different approaches to solving this primary job. The two most common types are packet filters and application layer firewalls (see Frame Basic firewall know how).

What you will learn...

how firewalls work,
how a firewall can be detected,
how a firewall can be detoured by taking advantage of wrong configuration or weaknesses in firewall products.

What you should know...

you should be familiar with TCP/IPv4,
you should know the ISO/OSI reference model.

Basic firewall know how

A firewall in general is a system with multiple interfaces, attached to different networks, having a filtering mechanism in order to allow or block the traffic between networks. Firewalls can be categorised by the TCP/IP layer used for analysis and forwarding of the packets:

Packet filters

Packet filters analyse packets on the Network (3) and Transport (4) layers of the ISO/OSI model. That means that a packet filter mainly use the following criteria for making its filtering decision:

protocol (ICMP, OSPF, AH, ESP, etc.),
source IP address,
destination IP address,
source port,
destination port,
TCP flags (SYN, ACK, RST, FIN, etc.).

Stateful/dynamic packet filters

Extending the capabilities of a simple packet filter, a stateful packet filter keeps track of each connection and stores this information in internal state tables. When an outgoing packet passes the packet filter (initiating a connection), the matching ports and IP addresses for the answer packets are opened for the duration of the connection and closed afterwards.

In addition, some stateful packet filters are able to dynamically open ports if there is a new port or IP-Address negotiated between client and server within an allowed connection. Some services like Oracle and Portmapper are using this.

Application level firewalls

Application level firewalls are able to analyse packets up to the application layer of the ISO/OSI model. Beside the features of a stateful/dynamic packet filter, they are also able to inspect the payload of a packet. Whilst a packet filter can only make decisions based on packet header information, an application level firewall can examine the application-specific information. This for example enables this type of firewalls to allow HTTP communication to port 80/TCP in general, but block requests with certain commands like CONNECT or DELETE.

Application level firewalls need a special proxy service running for each protocol that has to be passed through a firewall. Because a proxy service is not always available, most firewall vendors additionally implement packet filter capabilities and generic proxy services without the capability of protocol analysis.

Hybrid and layer 2 firewalls

Many firewall vendors are using hybrid technology to get the best from each firewall type. That means they include stateful packet filters as well as application layer capabilities into their products. There are also layer 2 firewalls available on the market. They are not as popular as packet filters and application layer firewalls, and they're mainly used on the interface level, depending on the vendor.

Independent of the type, a firewall needs some basis to decide whether a packet will be forwarded to its destination or not. This is basically the firewall policy in form of access-lists or filter rules. Let's have a look at the possibilities of detouring such policies by abusing bad filter rules, weaknesses in common protocols and limitations of different firewall types.

Detecting firewalls

Before a system placed behind a firewall can be attacked, the intruder first has to determine whether there is a firewall in place. This is not always as obvious as it seems, because firewall maintainers often use tricks to prevent firewall detection. However, since a firewall may tamper the results of an attack, it is important to be aware of its existence. Let's first have a look at some techniques used to detect firewalls.

Traceroute

Traceroute is a mechanism used to discover the routers forwarding packets on their way to the destination. If there is a firewall in place, it might respond to a traceroute packet.

Since traceroute itself is a very old technique, most firewalls block it. However, there are still misunderstandings concerning traceroute functionality, which enable intruders to traceroute through a firewall system.

Listing 1. Traceroute blocked by a firewall

 
 
# traceroute www.dummycompany.de
traceroute to www.dummycompany.de (10.10.10.10), 30 hops max, 40 byte packets
1 10.255.255.254                    0.373 ms 0.203 ms 0.215 ms
(...)
10 router.company1.de (10.1.1.254) 88.080 ms 88.319 ms 87.921 ms
11 router.company2.de (10.2.2.254) 87.881 ms 89.541 ms 88.081 ms
12 router.company3.de (10.3.3.254) 86.749 ms 86.919 ms 86.734 ms
13 router.company4.de (10.4.4.254) 87.216 ms 87.312 ms 87.307 ms
14 * * *

Listing 1 presents the results of a traceroute, when it is blocked by a firewall. As we can see, traceroute works until it reaches the system with IP 10.4.4.254. Afterwards, there is something in place which is blocking traceroute attempts.

Let's now try to understand how tracerouting works (see also Figure 1). To determine the route of an IP packet, the TTL field of the IP header is used in the way, that it gets decreased by one each time the packet reaches a router. If a router receives an IP packet with the value of two, it will decrease it by one, and if the resulting value is bigger or equal to one, it will be forwarded to the next router according to routing information. If a router receives a packet with the TTL value of 1, it will decrease it, and because the resulting value is zero, it will not forward the packet to the next router, and instead it will send a notification to the sender to inform, that the packet was discarded on the way to destination.

Figure 1. How traceroute works

Page: 1 2 3 4

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.