SlideShare a Scribd company logo

A Stateful Inspection of Firewall-1 (2000)

Dug Song
Dug Song

Paper from our Blackhat 2000 talk

Technology
1 of 6
Download to read offline
A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TUV data protect GmbH {tl,jm}@dataprotect.com Dug Song Center for Information Technology Integration University of Michigan dugsong@monkey.org August 15, 2000 1 Introduction however, SecuRemote clients use port 264/tcp, with access to 256/tcp restricted. At the Black Hat Briefings 2000, we presented an While only the management console is able to is- analysis of Check Point FireWall-1 vulnerabilities sue unload commands, the binary load (bload) com- resulting from protocol design flaws, problems in mand is enabled by default for any IP address that stateful inspection, common or default misconfig- the filter module knows an authentication secret for. urations, and minor implementation errors discov- We were able to verify this under version 4.0 by ered over the past few months in the lab, and veri- using binary load to upload an “allow all” policy. fied in real-world penetration tests. Our attacks bypass authentication to issue an un- In this advisory, we summarize our findings and load command, which is easier to implement, and provide some recommendations for safe configura- more portable between versions. tion. It is intended to complement our presentation slides and source code, available at: 2.1 IP Address Verification http://www.dataprotect.com/bh2000/ In the inter-module authentication protocol, a filter module does not verify the source IP address of an Our research was conducted against a Nokia IP440 authenticating management module by checking the running FireWall-1 version 4.0 Service Pack 5. peer address of a connection – it examines a list of IP Check Point later provided us with version 4.1 Ser- addresses handed to it. A common misconfiguration vice Pack 1, which was still vulnerable to most of is to put our attacks, but came with a much safer default configuration. Check Point has since released ser- 127.0.0.1: */none vice packs for all supported versions of FireWall-1 to specifically address the vulnerabilities documented in the control.map file, to ease local administra- here. tion. An attacker only needs to send 127.0.0.1 as her IP address to bypass authentication completely, as demonstrated by our “fw1none” program. 2 Authentication After exchanging version and IP address informa- tion, the filter module replies with the authentica- In the examination of any security product, the ad- tion it wants to be performed. Upon successful au- ministrative control channels are often the weakest thentication, the management module transmits the link – and the most security critical. Indeed, we arguments for the command to be executed. Finally found that FireWall-1, in a typical distributed de- the filter module returns a status code to indicate ployment, was susceptible to several trivial attacks whether or not command execution was successful. against its inter-module authentication protocols. The protocol is in general not strictly syn- Our attacks assume that the attacker has access chronous. In particular, the exchange of IP ad- to port 256/tcp on the filter module, and knows the dresses happens asynchronously, i.e. the manage- IP address of either a management module or any ment module does not have to send its IP addresses peer for which a shared authentication secret has first. It could just wait for the filter module to send been configured using “fw putkey.” In version 4.0, all IP addresses and then transmit its own. In this this port is exposed to the world by default, as it way, an attacker acting as a management module is also used by SecuRemote clients. In version 4.1, may learn all IP addresses of the firewall without 1
actually authenticating. This is useful for the en- knows K, is able to verify the signature by calculat- capsulation attacks discussed later, or in discovery ing the same keyed hash. of a management module’s IP address. The original value for K is set using “fw If we present an IP address to the filter module putkey.” However, after the first authentication, a that does not correspond to a management module Diffie-Hellman key exchange is initiated, resulting – or more generally speaking, an IP address that in a new shared 1024 bit secret K for authentication. it does not have an authentication secret for – it will simply refuse to authenticate. Hence we can The FWN1 protocol works as follows: scan for the correct IP address of the management module by connecting repeatedly, giving a different 1. The filter module generates a random number IP address (or list of IP addresses) each time. R1. 2. The filter module signs R1. The signature S1 2.2 S/Key = Hash(R1 + K), where ’+’ denotes concate- S/Key authentication [Ha95] is used when commu- nation. nicating with embedded FireWall-1 devices. It is 3. R1 and S1 are sent to the management module. also the fallback for version 4.0 filter modules that do not have an encryption license and thus do not 4. The management module verifies S1. support FWA1. The problem with Check Point’s S/Key imple- 5. The management module generates a random mentation is that after a shared secret has been used number R2. for 99 iterations, the management module gener- 6. The management module calculates the corre- ates a new authentication secret using time(). The sponding signature S2 = Hash(R1 + K), where time() function has a resolution of seconds. There- ’+’ is concatenation again. fore, there are only 24 * 3600 = 86400 different pos- sibilities for secrets generated on a single day. Even 7. R2 and S2 are sent to the filter module. worse, if the status of the filter module is polled pe- riodically every 10 seconds, 99 authentications will 8. The filter module verifies S2. be performed in a maximum 990 seconds. Working This protocol is trivially defeated by a simple replay back from current time, we just have to try each attack. Instead of generating our own R2, we can of the 990 possible values in the period from now just reuse the value R1 sent by the filter module. to 990 seconds ago, because we can be sure that a Then, we can also reuse the signature S1, instead of new shared secret has been generated at least once having to generate our own S2. during this period. Our “fw1fwn” utility implements the unload com- With our S/Key brute forcing program “fw1bf,” mand with FWN1 authentication. we are able to perform about 50 guesses per second There is no encryption with FWN1 authentica- against FireWall-1 4.0 by using parallel connections, tion. Neither are there any provisions for data in- covering a whole day of possible authentication se- tegrity. Internal threats like TCP connection hi- crets in less than half an hour. Version 4.1 does not jacking apply [Be89]. support as many parallel connections, reducing our effective rate by an order of magnitude. The S/Key authentication secret, once recovered, 2.4 FWA1 may be used with our “fw1skey” tool to issue an FWA1 is similar to FWN1, with the addition of en- unload command to the filter module. cryption to the communication between the mod- There is no encryption with S/Key authentica- ules. This is the default mechanism used in version tion. Neither are there any provisions for data in- 4.1, and for most commands in version 4.0 when an tegrity. Internal threats like TCP connection hi- encryption license is present. jacking apply [Be89]. Again, there is a shared secret K, initially set using “fw putkey.” After the first successful 2.3 FWN1 authentication, it is replaced by a 1024 bit value resulting from a Diffie-Hellman key exchange. FWN1 is an alternative to S/Key, sometimes used at sites lacking an encryption license for version 4.0 fil- The FWA1 protocol works as follows: ter modules. It is the default authentication method for OPSEC in version 4.0 and version 4.1. 1. The filter module generates a random number Authentication is based on a shared secret K. This R1. secret is needed to sign data using a keyed hash. K is appended to the data and the result is fed to a 2. The filter module signs R1. The signature S1 cryptographically secure hash function. The result- = Hash(R1 + K), where ’+’ denotes concate- ing digest is used as a signature. The peer, who also nation. 2
3. R1 and S1 are sent to the management module. a connection between two modules by simply XOR- ing the ciphertext C with a corresponding bit mask 4. The management module verifies S1. X, since the decrypted plaintext P = C ˆ K, where 5. The management module generates a random K is the key stream and ’ˆ’ denotes XOR. Decryp- number R2. tion of C ˆ X would thus yield (C ˆ X) ˆ K = (C ˆ K) ˆ X = P ˆ X. 6. The management module calculates R3 = R1 ˆ R2, where ’ˆ’ denotes XOR. 7. The management module calculates the corre- 3 Packet Filtering sponding signature S2 = Hash(R3 + K), where Static packet filtering is perhaps the simplest mech- ’+’ is concatenation again. anism for network access control, but also decep- 8. R2 and S2 are sent to the filter module. tively hard to implement correctly [Ch92]. We found FireWall-1 to be susceptible to a number of 9. The filter module verifies S2. attacks based on incomplete input verification, in- cluding some that allowed for attacks against state- Hence, the only change from FWN1 authentication ful inspection as well. is that instead of signing R2, the management mod- ule signs R3 = R1 ˆ R2. Again, this protocol is trivially defeated with a simple replay attack. We 3.1 TCP Fastmode just choose R2 to be zero. In this way R3 = R1 ˆ FireWall-1 provides a mechanism known as “fast- R2 will yield R3 = R1 and we can again reuse the mode” to allow an administrator to designate cer- filter module’s signature. tain services as being performance critical. The The “fw1fwa” utility implements FWA1 authen- FireWall-1 kernel module simply passes packets that tication. However, the unload command cannot be have a source or destination port of a fastmode ser- issued, as encryption is used to protect the commu- vice without any additional connection or rule base nication channel. checking. We have simplified our presentation of the FWN1 and FWA1 authentication algorithms a bit for the Additionally, in fastmode, only SYN packets are sake of clarity. In practice, only 64 of the 128 bits verified. This allows an attacker to pass non-SYN of the signature are transmitted. In FWA1 the re- TCP packets through the firewall to map the net- maining 64 bits of S1 and S2 are concatenated to work by setting the source port of her packets to form the 128 bit encryption key. Since S1 = S2 that of the fastmode service. We demonstrated in our attack, we would have to guess the 64 bit mapping a network using the -g and -sF options encryption key to successfully issue an unload com- in nmap [Fy97]. mand. There may still be a more sophisticated and practical way which has yet to be investigated. 3.2 FWZ Encapsulation If the shared 1024 bit secret generated by the Diffie-Hellman key exchange turned out to be guess- FireWall-1’s simple tunneling protocol for SecuRe- able by a practical brute force attack because of a mote connections proves extremely useful in boot- lack of entropy, we would perhaps be able to find strapping insertion attacks against stateful inspec- a relatively small set of candidate values for K by tion. This protocol (FWZ tunnelling via IP protocol brute forcing based on R1 and S1. Then we could 94) is decapsulated at the very beginning of pre- try all candidate values for K to find the real K. To inspection, before any real analysis is performed. identify the real K, we could use the known plain- The decapsulated packet is then fed through the in- text of the “authentication successful” reply that we spection process. It is not necessary to authenticate receive, which is already encrypted. or encrypt packets in order to use this encapsulation To date, we have not come up with a practical protocol. Furthermore, we could find no way to dis- attack on the complete FWA1 protocol, including able this functionality, short of filtering IP protocol encryption. Still, the authentication mechanism is 94 with another device. seriously broken. An ordinary IP packet is FWZ encapsulated as FWA1 uses the proprietary stream cipher FWZ1, follows: the original destination IP address and pro- recently posted anonymously to the Usenet sci.crypt tocol are appended as a trailer to the end of the newsgroup. Unfortunately, even a simple command packet, and replaced in the original header by the like unload needs at least 18 bytes of arguments. target IP address (one of the firewall’s interfaces) Moreover, a different key is used in either direction, and IP protocol 94. The trailer, five bytes in length, confounding any known plaintext attack against the is obfuscated via XOR with a keyed hash on the “authentication successful” reply. IP ID. While we didn’t recover the key used in the There are no provisions for data integrity in hash, our tools cheat by fixing the IP ID to one and FWA1. Internal attackers are able to flip bits in XORing against a static hash. 3
In this manner, FWZ encapsulation may be used 4.1 FTP Data Connections to send packets through the firewall that would oth- 4.1.1 FTP PORT erwise be unroutable, such as packets from the DMZ or intranet to the Internet, packets destined for a FireWall-1’s FTP processing tries to restrict the multicast address, or packets to addresses behind destination of FTP data connections to the FTP NAT or on RFC 1918 private networks. client associated with the control connection, pre- venting the classic FTP bounce attack. In previous versions of FireWall-1, this was trivially bypassed 3.3 IP Spoofing Protection by splitting up the PORT command over multiple IP spoofing protection on FireWall-1 is configured packets, or even by spelling “PoRT” in mixed case per network object at the interface level. Several for version 3.0. However, with the latest checks im- options are possible, but the typical configuration posed by FireWall-1 to restrict one FTP command looks something like this: to a packet, bypassing this becomes a little more difficult. 1. DMZ and intranet interfaces set to “This Net” In our presentation, we demonstrated an ambigu- ity in the parsing of the PORT command that allows or perhaps “This Net +”, restricting valid source IP addresses on the interface to those us to bypass this restriction. FireWall-1 takes each directly on its network, or routable to its net- octet of the presented IP address as a long integer, work. shifts it the appropriate number of bits and then adds it to its notion of the IP address. However, 2. External interface set to “Others”, disallowing the FTP server we targeted on Solaris 2.6 interprets packets purporting to originate from any of the each octet of the IP address modulo 256. This dif- DMZ or intranet networks. ference allows us to trick the firewall into believing the connection is destined for the correct client IP, while the FTP server believes the connection is des- While this configuration seems simple enough, it tined for itself. leaves out spoofing protection for one important IP The attack we demonstrated was against the address – the external interface of the firewall. De- ToolTalk RPC daemon. We uploaded two files to nial of spoofed packets coming from firewall inter- the FTP server in a publicly writable directory, and faces is apparently enabled by default in all versions then instructed the FTP daemon to upload those of FireWall-1 other than version 4.1 Service Pack files to its own ToolTalk daemon port with a care- 1. Coupled with the default rule to allow ISAKMP fully crafted PORT command. The first file was nec- packets, this hole allows an attacker to send any essary to kill the daemon, and the second file was UDP datagram to the external firewall interface. the buffer overflow, as generated by the ToolTalk Another possibility for evading IP spoofing pro- exploit by apk. tection is to use the all-hosts multicast address We also demonstrated utilizing FWZ encapsu- (224.0.0.1) as a mechanism for delivering packets lation to spoof a FTP control connection packet to the underlying operating system of the firewall. from our victim machine to our attacking computer. For our demonstration, we used FWZ encapsulation The payload of this packet was a PORT command, to spoof a packet from the multicast address to our which the firewall’s FTP stateful inspection mod- attack host, allowing us to respond with a packet ule interpreted as a legitimate data connection that sent to the multicast address, passed on to the fire- needed to be passed through the firewall. wall itself. This attack can also be performed with broadcast addresses. 4.1.2 FTP PASV We originally intended to disclose this attack at our 4 Stateful Inspection presentation, but it was independently discovered and published by Mikael Olsson to VULN-DEV. Stateful inspection firewalls try to enforce certain This vulnerability can be referenced under CVE- semantics in the traffic they relay. The mechanisms 2000-0150 [CBHM99]. used to accomplish this, however, are often incom- FireWall-1 violates a basic layering abstraction in plete or subject to simple insertion or evasion, bear- its inspection of TCP application data within dis- ing some similarity to the problems encountered in crete IP packets, allowing for a simple insertion at- passive network monitoring [PN98]. tack. We can leverage the quoting of client input FireWall-1’s stateful inspection is vulnerable in in an FTP server’s error messages and the client- a number of ways related to layering violations in side configuration of TCP connection parameters to inspection, and ambiguity in end-to-end semantics. trick the firewall into allowing arbitrary data con- Many of these attacks rely on misconfiguration of nections for PASV replies we generate ourselves. IP spoofing protection, or leveraging other mecha- To demonstrate, we used our “ftp-ozone” tool to nisms, such as FWZ encapsulation, for insertion. open up a direct connection to the ToolTalk daemon 4
on the FTP server, allowing us to execute a buffer pending table is replaced with a new one, contain- overflow attack. ing the source IP address, the error port (extracted from the TCP payload), the destination IP address, 4.2 Simplex TCP Connections the same magic number, and the IP protocol. Upon intercepting the first SYN for an error connection, A connection in FireWall-1’s connection table may the firewall checks its parameters against the entry be flagged to restrict data flow to one direction in the pending table, and adds the connection to the (One-Way versus Either-Way). The first packet connections table. containing TCP data establishes the direction of An exploitable collision exists in the use of the the connection, and any data travelling in the other pending table. If we provide an initial sequence direction will cause the connection to be dropped number of five, it is incremented to six in the pend- from the connections table. In versions of FireWall- ing table – identical to the entry created by the first- 1 prior to 4.1, the check for data only considered packet handling code. Thus, by spoofing a SYN the first fragment in a series of fragmented pack- from an intranet or DMZ machine with an ISN of ets. Thus, it was possible to bypass this restriction five, with the source port of the host that we wish by sending a TCP data packet in two IP fragments to access, the destination IP address of our attack- – the first containing the TCP header, the second ing machine, and the destination port of the RSH containing data (a variation on the tiny fragment service, an entry is added to the connections ta- attack against static packet filters [ZRT95]). ble allowing us to connect from our machine to the Check Point corrected this in the latest version, “RSH client” on whatever port we specify. but there is still another way to bypass it. It is im- In version 4.1, the problem is not exploitable due portant to note that the firewall does not attempt to the fact that the initial SYN packet is not passed, to tear down the connection; it only removes its as certain additional flags are missing from our man- entry in the connection table and drops any subse- ufactured pending table entry. quent packets. As FireWall-1 doesn’t verify TCP se- quence numbers [Ro00], it is possible to re-establish the connection with the same source and destina- 4.4 UDP Replies tion parameters, allowing for retransmission of the A default installation of FireWall-1 4.0 allows DNS previously dropped TCP data to set a new direction traffic between all hosts. When combined with lax for the connection, passing the data back through IP spoofing protection, this rule allows us to spoof the firewall. To exploit this, a small program run- UDP datagrams from the DMZ or intranet to our ning in an infinite loop that constantly re-opens the attacking machine. If UDP responses are allowed, FTP data connection can be used to leak the return we can reply to those packets – in effect allowing us data through, although somewhat inefficiently. to talk to any UDP service behind the firewall. Our demonstration consisted of an attack against 4.3 RSH stderr the SNMP daemon on the target Solaris 2.6 ma- chine. Using the “tun” tool, we sent an FWZ en- RSH is another protocol that permits an insertion capsulated datagram to the external interface of attack to allow back-connections through the fire- the firewall, which upon decapsulation, appeared to wall, in the same manner as the previous FTP originate from the SNMP service on the internal vic- PORT exploit. This requires a legitimate RSH tim, destined for our attacking host’s port 53/udp. client inside the firewall, with the firewall config- This allowed us to respond to our “DNS request” ured to allow RSH/REXEC stderr connections (a with arbitrary packets destined for the target’s port simple policy box check, without any rules required 161/udp. It would follow that our source port for RSH in the rulebase). should be 53/udp, but this isn’t actually necessary RSH stderr connection handling also presents a because of the way UDP replies are implemented. problem in its management of connection state. Al- though we are unable to exploit this vulnerability in versions 4.1 and later, we decided to leave discus- 5 Recommendations sion of it in our presentation as it nicely illustrates some of the state-tracking mechanisms FireWall-1 5.1 Non-reliance on NAT uses internally. When FireWall-1 sees the first SYN of an RSH or As mentioned above, FWZ encapsulation can be REXEC connection, it records the source address, used to send packets through the firewall that would source port, destination address, a magic number, otherwise be unroutable. This includes packets des- and the TCP sequence number + 1 into the pend- tined to addresses behind NAT or on RFC 1918 pri- ing table. It records this information so that it can vate networks. For instance, in FireWall-1’s default recognize the first packet of the connection that con- configuration, an attacker can access DNS servers tains data. When the first data packet of the RSH in the intranet or DMZ directly, due to the “allow connection is passed by the firewall, its entry in the all port 53” rule. If the ICMP “allow all” rule is 5
enabled, an attacker can map any intranet or DMZ [CBHM99] S. Christey, D. Baker, W. Hill, D. subnets. Mann. “The Development of a Common NAT and non-routable addresses do not necessar- Vulnerabilities and Exposures List”. 2nd ily provide any inherent security. While FWZ en- International Workshop on Recent Ad- capsulation is specific to FireWall-1, similar attacks vances in Intrusion Detection, Septem- using other VPN encapsulation techniques may be ber 1999. more widely applicable – GRE, IP protocols re- served for IPsec, and even IPv6 tunnelling in IPv4 [Ha00] J. Hagino. “Possible Abuse Against [Ha00]. IPv6 Transition Technologies”. Inter- net Draft draft-itojun-ipv6-transition- abuse-00a.txt (work-in-progress), Inter- 5.2 Configuration net Engineering Task Force, March A few simple rules of thumb: 2000. 1. Be sure to run the latest version of FireWall-1 [Fy97] Fyodor, “The Art of Port Scanning”. possible. Phrack Magazine 7:51, article 11, September 1997. 2. Disable implicit rules, including those for DNS, administrative control connections, and ICMP. [Ha95] N. Haller. “The S/KEY One-Time Pass- word System”. RFC 1760, Internet En- 3. Be as specific as possible in defining rules – no gineering Task Force, February 1995. “any” source or destination IP addresses, deny multicast / broadcast addresses, etc. [ZRT95] G. Ziemba, D. Reed, P. Traina. “Secu- rity Considerations for IP Fragment Fil- 4. Enable IP spoofing protection on all interfaces. tering”. RFC 1858, Internet Engineering Task Force, October 1995. 5. Pre-filter IP protocol 94 (e.g. with IP Filter or some other mechanism). [PN98] T. Ptacek, T. Newsham. “Insertion, Evasion, and Denial of Service: Elud- 6. Separate virtual IP addresses for public ser- ing Network Intrusion Detection”. Se- vices. cure Networks, Inc., January 1998. 7. Use only FWA1 authentication for now. [Ro00] G. van Rooij. “Real Stateful TCP Packet Filtering in IP Filter”. 2nd In- 5.3 Patches ternational SANE Conference, March Check Point released patches to address these prob- 2000. lems in time for our presentation at the Black Hat Briefings. Current service packs, hotfixes, and alerts are available at: http://www.checkpoint.com/techsupport/ 6 Acknowledgments We would like to thank Check Point for their timely, thorough response to our independent security re- view, and for their exceptional professionalism in dealing with these issues. References [Be89] S. Bellovin, “Security Problems in the TCP/IP Protocol Suite”. Computer Communications Review 2:19, pp. 32- 48, April 1989. [Ch92] D. Brent Chapman. “Network (In)Security Through IP Packet Filtering”. 3rd USENIX Security Symposium, September 1992. 6

Recommended

2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guideWahyu Nasution
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
TekIVR Datasheet
TekIVR DatasheetTekIVR Datasheet
TekIVR DatasheetYasin KAPLAN
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamCisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamJysmeen
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoSYoav Francis
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 

Recommended

2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guideWahyu Nasution
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
TekIVR Datasheet
TekIVR DatasheetTekIVR Datasheet
TekIVR DatasheetYasin KAPLAN
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamCisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamJysmeen
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoSYoav Francis
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpnRohit Pardasani
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataMike Chafin
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNoSuchCon
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
business
businessbusiness
businessGajendra Saini
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksFelipe Prado
 
26 security2
26 security226 security2
26 security2congiodiqua
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYVinil Patel
 
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Protect724manoj
 
p10
p10p10
p10tutorialsruby
 
cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMvidhya9
 
checkpoint
checkpointcheckpoint
checkpointMayank Dhingra
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)maunicmer
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityKunal Sharma
 

More Related Content

What's hot

CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataMike Chafin
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNoSuchCon
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksFelipe Prado
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYVinil Patel
 
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Protect724manoj
 

What's hot (17)

Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
business
businessbusiness
business
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
 
26 security2
26 security226 security2
26 security2
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
 
p10
p10p10
p10
 

Similar to A Stateful Inspection of Firewall-1 (2000)

cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMvidhya9
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)maunicmer
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityKunal Sharma
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
CRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdfCRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdfSpammer7
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbChanaka Lasantha
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows Vrushank Narola
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11blusmurfydot1
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 

Similar to A Stateful Inspection of Firewall-1 (2000) (20)

cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptx
 
checkpoint
checkpointcheckpoint
checkpoint
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
 
Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP Vulnerability
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
CRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdfCRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdf
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql db
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows
 
Mobile computing
Mobile computingMobile computing
Mobile computing
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdf
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
Tivoli firewall magic redp0227
Tivoli firewall magic redp0227Tivoli firewall magic redp0227
Tivoli firewall magic redp0227
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latest
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 

More from Dug Song

Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless NetworkDug Song
 
Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Dug Song
 
Startups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessStartups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessDug Song
 
From the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityFrom the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityDug Song
 
A Hacker's Life
A Hacker's LifeA Hacker's Life
A Hacker's LifeDug Song
 
The Balanced Engineer
The Balanced EngineerThe Balanced Engineer
The Balanced EngineerDug Song
 
Letter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnLetter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnDug Song
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteDug Song
 
Entrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborEntrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborDug Song
 
Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Dug Song
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
Silver Needle in the Skype
Silver Needle in the SkypeSilver Needle in the Skype
Silver Needle in the SkypeDug Song
 
Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Dug Song
 
Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Dug Song
 
SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)Dug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityDug Song
 
A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)Dug Song
 
Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Dug Song
 

More from Dug Song (19)

Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless Network
 
Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009Ann Arbor Startup Development 2009
Ann Arbor Startup Development 2009
 
Startups: The Extreme Sport of Business
Startups: The Extreme Sport of BusinessStartups: The Extreme Sport of Business
Startups: The Extreme Sport of Business
 
From the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing SecurityFrom the Arsenal of Democracy, to Democratizing Security
From the Arsenal of Democracy, to Democratizing Security
 
A Hacker's Life
A Hacker's LifeA Hacker's Life
A Hacker's Life
 
The Balanced Engineer
The Balanced EngineerThe Balanced Engineer
The Balanced Engineer
 
Letter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence InnLetter from Ann Arbor Residence Inn
Letter from Ann Arbor Residence Inn
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test Suite
 
Entrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann ArborEntrepreneurs Foundation of Ann Arbor
Entrepreneurs Foundation of Ann Arbor
 
Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)Monkey-In-The-Middle (2001)
Monkey-In-The-Middle (2001)
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
Silver Needle in the Skype
Silver Needle in the SkypeSilver Needle in the Skype
Silver Needle in the Skype
 
Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)Fragroute - NIDS Testing Revisited (2002)
Fragroute - NIDS Testing Revisited (2002)
 
Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)Intrusion Detection 101 (1999)
Intrusion Detection 101 (1999)
 
SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)SSH Traffic Analysis Attacks (2001)
SSH Traffic Analysis Attacks (2001)
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm Activity
 
A Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm ActivityA Snapshot of Global Internet Worm Activity
A Snapshot of Global Internet Worm Activity
 
A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)A Stateful Inspection of Firewall-1 (2000)
A Stateful Inspection of Firewall-1 (2000)
 
Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09Ann Arbor Startup Community Development H1'09
Ann Arbor Startup Community Development H1'09
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

A Stateful Inspection of Firewall-1 (2000)

  • 1. A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TUV data protect GmbH {tl,jm}@dataprotect.com Dug Song Center for Information Technology Integration University of Michigan dugsong@monkey.org August 15, 2000 1 Introduction however, SecuRemote clients use port 264/tcp, with access to 256/tcp restricted. At the Black Hat Briefings 2000, we presented an While only the management console is able to is- analysis of Check Point FireWall-1 vulnerabilities sue unload commands, the binary load (bload) com- resulting from protocol design flaws, problems in mand is enabled by default for any IP address that stateful inspection, common or default misconfig- the filter module knows an authentication secret for. urations, and minor implementation errors discov- We were able to verify this under version 4.0 by ered over the past few months in the lab, and veri- using binary load to upload an “allow all” policy. fied in real-world penetration tests. Our attacks bypass authentication to issue an un- In this advisory, we summarize our findings and load command, which is easier to implement, and provide some recommendations for safe configura- more portable between versions. tion. It is intended to complement our presentation slides and source code, available at: 2.1 IP Address Verification http://www.dataprotect.com/bh2000/ In the inter-module authentication protocol, a filter module does not verify the source IP address of an Our research was conducted against a Nokia IP440 authenticating management module by checking the running FireWall-1 version 4.0 Service Pack 5. peer address of a connection – it examines a list of IP Check Point later provided us with version 4.1 Ser- addresses handed to it. A common misconfiguration vice Pack 1, which was still vulnerable to most of is to put our attacks, but came with a much safer default configuration. Check Point has since released ser- 127.0.0.1: */none vice packs for all supported versions of FireWall-1 to specifically address the vulnerabilities documented in the control.map file, to ease local administra- here. tion. An attacker only needs to send 127.0.0.1 as her IP address to bypass authentication completely, as demonstrated by our “fw1none” program. 2 Authentication After exchanging version and IP address informa- tion, the filter module replies with the authentica- In the examination of any security product, the ad- tion it wants to be performed. Upon successful au- ministrative control channels are often the weakest thentication, the management module transmits the link – and the most security critical. Indeed, we arguments for the command to be executed. Finally found that FireWall-1, in a typical distributed de- the filter module returns a status code to indicate ployment, was susceptible to several trivial attacks whether or not command execution was successful. against its inter-module authentication protocols. The protocol is in general not strictly syn- Our attacks assume that the attacker has access chronous. In particular, the exchange of IP ad- to port 256/tcp on the filter module, and knows the dresses happens asynchronously, i.e. the manage- IP address of either a management module or any ment module does not have to send its IP addresses peer for which a shared authentication secret has first. It could just wait for the filter module to send been configured using “fw putkey.” In version 4.0, all IP addresses and then transmit its own. In this this port is exposed to the world by default, as it way, an attacker acting as a management module is also used by SecuRemote clients. In version 4.1, may learn all IP addresses of the firewall without 1
  • 2. actually authenticating. This is useful for the en- knows K, is able to verify the signature by calculat- capsulation attacks discussed later, or in discovery ing the same keyed hash. of a management module’s IP address. The original value for K is set using “fw If we present an IP address to the filter module putkey.” However, after the first authentication, a that does not correspond to a management module Diffie-Hellman key exchange is initiated, resulting – or more generally speaking, an IP address that in a new shared 1024 bit secret K for authentication. it does not have an authentication secret for – it will simply refuse to authenticate. Hence we can The FWN1 protocol works as follows: scan for the correct IP address of the management module by connecting repeatedly, giving a different 1. The filter module generates a random number IP address (or list of IP addresses) each time. R1. 2. The filter module signs R1. The signature S1 2.2 S/Key = Hash(R1 + K), where ’+’ denotes concate- S/Key authentication [Ha95] is used when commu- nation. nicating with embedded FireWall-1 devices. It is 3. R1 and S1 are sent to the management module. also the fallback for version 4.0 filter modules that do not have an encryption license and thus do not 4. The management module verifies S1. support FWA1. The problem with Check Point’s S/Key imple- 5. The management module generates a random mentation is that after a shared secret has been used number R2. for 99 iterations, the management module gener- 6. The management module calculates the corre- ates a new authentication secret using time(). The sponding signature S2 = Hash(R1 + K), where time() function has a resolution of seconds. There- ’+’ is concatenation again. fore, there are only 24 * 3600 = 86400 different pos- sibilities for secrets generated on a single day. Even 7. R2 and S2 are sent to the filter module. worse, if the status of the filter module is polled pe- riodically every 10 seconds, 99 authentications will 8. The filter module verifies S2. be performed in a maximum 990 seconds. Working This protocol is trivially defeated by a simple replay back from current time, we just have to try each attack. Instead of generating our own R2, we can of the 990 possible values in the period from now just reuse the value R1 sent by the filter module. to 990 seconds ago, because we can be sure that a Then, we can also reuse the signature S1, instead of new shared secret has been generated at least once having to generate our own S2. during this period. Our “fw1fwn” utility implements the unload com- With our S/Key brute forcing program “fw1bf,” mand with FWN1 authentication. we are able to perform about 50 guesses per second There is no encryption with FWN1 authentica- against FireWall-1 4.0 by using parallel connections, tion. Neither are there any provisions for data in- covering a whole day of possible authentication se- tegrity. Internal threats like TCP connection hi- crets in less than half an hour. Version 4.1 does not jacking apply [Be89]. support as many parallel connections, reducing our effective rate by an order of magnitude. The S/Key authentication secret, once recovered, 2.4 FWA1 may be used with our “fw1skey” tool to issue an FWA1 is similar to FWN1, with the addition of en- unload command to the filter module. cryption to the communication between the mod- There is no encryption with S/Key authentica- ules. This is the default mechanism used in version tion. Neither are there any provisions for data in- 4.1, and for most commands in version 4.0 when an tegrity. Internal threats like TCP connection hi- encryption license is present. jacking apply [Be89]. Again, there is a shared secret K, initially set using “fw putkey.” After the first successful 2.3 FWN1 authentication, it is replaced by a 1024 bit value resulting from a Diffie-Hellman key exchange. FWN1 is an alternative to S/Key, sometimes used at sites lacking an encryption license for version 4.0 fil- The FWA1 protocol works as follows: ter modules. It is the default authentication method for OPSEC in version 4.0 and version 4.1. 1. The filter module generates a random number Authentication is based on a shared secret K. This R1. secret is needed to sign data using a keyed hash. K is appended to the data and the result is fed to a 2. The filter module signs R1. The signature S1 cryptographically secure hash function. The result- = Hash(R1 + K), where ’+’ denotes concate- ing digest is used as a signature. The peer, who also nation. 2
  • 3. 3. R1 and S1 are sent to the management module. a connection between two modules by simply XOR- ing the ciphertext C with a corresponding bit mask 4. The management module verifies S1. X, since the decrypted plaintext P = C ˆ K, where 5. The management module generates a random K is the key stream and ’ˆ’ denotes XOR. Decryp- number R2. tion of C ˆ X would thus yield (C ˆ X) ˆ K = (C ˆ K) ˆ X = P ˆ X. 6. The management module calculates R3 = R1 ˆ R2, where ’ˆ’ denotes XOR. 7. The management module calculates the corre- 3 Packet Filtering sponding signature S2 = Hash(R3 + K), where Static packet filtering is perhaps the simplest mech- ’+’ is concatenation again. anism for network access control, but also decep- 8. R2 and S2 are sent to the filter module. tively hard to implement correctly [Ch92]. We found FireWall-1 to be susceptible to a number of 9. The filter module verifies S2. attacks based on incomplete input verification, in- cluding some that allowed for attacks against state- Hence, the only change from FWN1 authentication ful inspection as well. is that instead of signing R2, the management mod- ule signs R3 = R1 ˆ R2. Again, this protocol is trivially defeated with a simple replay attack. We 3.1 TCP Fastmode just choose R2 to be zero. In this way R3 = R1 ˆ FireWall-1 provides a mechanism known as “fast- R2 will yield R3 = R1 and we can again reuse the mode” to allow an administrator to designate cer- filter module’s signature. tain services as being performance critical. The The “fw1fwa” utility implements FWA1 authen- FireWall-1 kernel module simply passes packets that tication. However, the unload command cannot be have a source or destination port of a fastmode ser- issued, as encryption is used to protect the commu- vice without any additional connection or rule base nication channel. checking. We have simplified our presentation of the FWN1 and FWA1 authentication algorithms a bit for the Additionally, in fastmode, only SYN packets are sake of clarity. In practice, only 64 of the 128 bits verified. This allows an attacker to pass non-SYN of the signature are transmitted. In FWA1 the re- TCP packets through the firewall to map the net- maining 64 bits of S1 and S2 are concatenated to work by setting the source port of her packets to form the 128 bit encryption key. Since S1 = S2 that of the fastmode service. We demonstrated in our attack, we would have to guess the 64 bit mapping a network using the -g and -sF options encryption key to successfully issue an unload com- in nmap [Fy97]. mand. There may still be a more sophisticated and practical way which has yet to be investigated. 3.2 FWZ Encapsulation If the shared 1024 bit secret generated by the Diffie-Hellman key exchange turned out to be guess- FireWall-1’s simple tunneling protocol for SecuRe- able by a practical brute force attack because of a mote connections proves extremely useful in boot- lack of entropy, we would perhaps be able to find strapping insertion attacks against stateful inspec- a relatively small set of candidate values for K by tion. This protocol (FWZ tunnelling via IP protocol brute forcing based on R1 and S1. Then we could 94) is decapsulated at the very beginning of pre- try all candidate values for K to find the real K. To inspection, before any real analysis is performed. identify the real K, we could use the known plain- The decapsulated packet is then fed through the in- text of the “authentication successful” reply that we spection process. It is not necessary to authenticate receive, which is already encrypted. or encrypt packets in order to use this encapsulation To date, we have not come up with a practical protocol. Furthermore, we could find no way to dis- attack on the complete FWA1 protocol, including able this functionality, short of filtering IP protocol encryption. Still, the authentication mechanism is 94 with another device. seriously broken. An ordinary IP packet is FWZ encapsulated as FWA1 uses the proprietary stream cipher FWZ1, follows: the original destination IP address and pro- recently posted anonymously to the Usenet sci.crypt tocol are appended as a trailer to the end of the newsgroup. Unfortunately, even a simple command packet, and replaced in the original header by the like unload needs at least 18 bytes of arguments. target IP address (one of the firewall’s interfaces) Moreover, a different key is used in either direction, and IP protocol 94. The trailer, five bytes in length, confounding any known plaintext attack against the is obfuscated via XOR with a keyed hash on the “authentication successful” reply. IP ID. While we didn’t recover the key used in the There are no provisions for data integrity in hash, our tools cheat by fixing the IP ID to one and FWA1. Internal attackers are able to flip bits in XORing against a static hash. 3
  • 4. In this manner, FWZ encapsulation may be used 4.1 FTP Data Connections to send packets through the firewall that would oth- 4.1.1 FTP PORT erwise be unroutable, such as packets from the DMZ or intranet to the Internet, packets destined for a FireWall-1’s FTP processing tries to restrict the multicast address, or packets to addresses behind destination of FTP data connections to the FTP NAT or on RFC 1918 private networks. client associated with the control connection, pre- venting the classic FTP bounce attack. In previous versions of FireWall-1, this was trivially bypassed 3.3 IP Spoofing Protection by splitting up the PORT command over multiple IP spoofing protection on FireWall-1 is configured packets, or even by spelling “PoRT” in mixed case per network object at the interface level. Several for version 3.0. However, with the latest checks im- options are possible, but the typical configuration posed by FireWall-1 to restrict one FTP command looks something like this: to a packet, bypassing this becomes a little more difficult. 1. DMZ and intranet interfaces set to “This Net” In our presentation, we demonstrated an ambigu- ity in the parsing of the PORT command that allows or perhaps “This Net +”, restricting valid source IP addresses on the interface to those us to bypass this restriction. FireWall-1 takes each directly on its network, or routable to its net- octet of the presented IP address as a long integer, work. shifts it the appropriate number of bits and then adds it to its notion of the IP address. However, 2. External interface set to “Others”, disallowing the FTP server we targeted on Solaris 2.6 interprets packets purporting to originate from any of the each octet of the IP address modulo 256. This dif- DMZ or intranet networks. ference allows us to trick the firewall into believing the connection is destined for the correct client IP, while the FTP server believes the connection is des- While this configuration seems simple enough, it tined for itself. leaves out spoofing protection for one important IP The attack we demonstrated was against the address – the external interface of the firewall. De- ToolTalk RPC daemon. We uploaded two files to nial of spoofed packets coming from firewall inter- the FTP server in a publicly writable directory, and faces is apparently enabled by default in all versions then instructed the FTP daemon to upload those of FireWall-1 other than version 4.1 Service Pack files to its own ToolTalk daemon port with a care- 1. Coupled with the default rule to allow ISAKMP fully crafted PORT command. The first file was nec- packets, this hole allows an attacker to send any essary to kill the daemon, and the second file was UDP datagram to the external firewall interface. the buffer overflow, as generated by the ToolTalk Another possibility for evading IP spoofing pro- exploit by apk. tection is to use the all-hosts multicast address We also demonstrated utilizing FWZ encapsu- (224.0.0.1) as a mechanism for delivering packets lation to spoof a FTP control connection packet to the underlying operating system of the firewall. from our victim machine to our attacking computer. For our demonstration, we used FWZ encapsulation The payload of this packet was a PORT command, to spoof a packet from the multicast address to our which the firewall’s FTP stateful inspection mod- attack host, allowing us to respond with a packet ule interpreted as a legitimate data connection that sent to the multicast address, passed on to the fire- needed to be passed through the firewall. wall itself. This attack can also be performed with broadcast addresses. 4.1.2 FTP PASV We originally intended to disclose this attack at our 4 Stateful Inspection presentation, but it was independently discovered and published by Mikael Olsson to VULN-DEV. Stateful inspection firewalls try to enforce certain This vulnerability can be referenced under CVE- semantics in the traffic they relay. The mechanisms 2000-0150 [CBHM99]. used to accomplish this, however, are often incom- FireWall-1 violates a basic layering abstraction in plete or subject to simple insertion or evasion, bear- its inspection of TCP application data within dis- ing some similarity to the problems encountered in crete IP packets, allowing for a simple insertion at- passive network monitoring [PN98]. tack. We can leverage the quoting of client input FireWall-1’s stateful inspection is vulnerable in in an FTP server’s error messages and the client- a number of ways related to layering violations in side configuration of TCP connection parameters to inspection, and ambiguity in end-to-end semantics. trick the firewall into allowing arbitrary data con- Many of these attacks rely on misconfiguration of nections for PASV replies we generate ourselves. IP spoofing protection, or leveraging other mecha- To demonstrate, we used our “ftp-ozone” tool to nisms, such as FWZ encapsulation, for insertion. open up a direct connection to the ToolTalk daemon 4
  • 5. on the FTP server, allowing us to execute a buffer pending table is replaced with a new one, contain- overflow attack. ing the source IP address, the error port (extracted from the TCP payload), the destination IP address, 4.2 Simplex TCP Connections the same magic number, and the IP protocol. Upon intercepting the first SYN for an error connection, A connection in FireWall-1’s connection table may the firewall checks its parameters against the entry be flagged to restrict data flow to one direction in the pending table, and adds the connection to the (One-Way versus Either-Way). The first packet connections table. containing TCP data establishes the direction of An exploitable collision exists in the use of the the connection, and any data travelling in the other pending table. If we provide an initial sequence direction will cause the connection to be dropped number of five, it is incremented to six in the pend- from the connections table. In versions of FireWall- ing table – identical to the entry created by the first- 1 prior to 4.1, the check for data only considered packet handling code. Thus, by spoofing a SYN the first fragment in a series of fragmented pack- from an intranet or DMZ machine with an ISN of ets. Thus, it was possible to bypass this restriction five, with the source port of the host that we wish by sending a TCP data packet in two IP fragments to access, the destination IP address of our attack- – the first containing the TCP header, the second ing machine, and the destination port of the RSH containing data (a variation on the tiny fragment service, an entry is added to the connections ta- attack against static packet filters [ZRT95]). ble allowing us to connect from our machine to the Check Point corrected this in the latest version, “RSH client” on whatever port we specify. but there is still another way to bypass it. It is im- In version 4.1, the problem is not exploitable due portant to note that the firewall does not attempt to the fact that the initial SYN packet is not passed, to tear down the connection; it only removes its as certain additional flags are missing from our man- entry in the connection table and drops any subse- ufactured pending table entry. quent packets. As FireWall-1 doesn’t verify TCP se- quence numbers [Ro00], it is possible to re-establish the connection with the same source and destina- 4.4 UDP Replies tion parameters, allowing for retransmission of the A default installation of FireWall-1 4.0 allows DNS previously dropped TCP data to set a new direction traffic between all hosts. When combined with lax for the connection, passing the data back through IP spoofing protection, this rule allows us to spoof the firewall. To exploit this, a small program run- UDP datagrams from the DMZ or intranet to our ning in an infinite loop that constantly re-opens the attacking machine. If UDP responses are allowed, FTP data connection can be used to leak the return we can reply to those packets – in effect allowing us data through, although somewhat inefficiently. to talk to any UDP service behind the firewall. Our demonstration consisted of an attack against 4.3 RSH stderr the SNMP daemon on the target Solaris 2.6 ma- chine. Using the “tun” tool, we sent an FWZ en- RSH is another protocol that permits an insertion capsulated datagram to the external interface of attack to allow back-connections through the fire- the firewall, which upon decapsulation, appeared to wall, in the same manner as the previous FTP originate from the SNMP service on the internal vic- PORT exploit. This requires a legitimate RSH tim, destined for our attacking host’s port 53/udp. client inside the firewall, with the firewall config- This allowed us to respond to our “DNS request” ured to allow RSH/REXEC stderr connections (a with arbitrary packets destined for the target’s port simple policy box check, without any rules required 161/udp. It would follow that our source port for RSH in the rulebase). should be 53/udp, but this isn’t actually necessary RSH stderr connection handling also presents a because of the way UDP replies are implemented. problem in its management of connection state. Al- though we are unable to exploit this vulnerability in versions 4.1 and later, we decided to leave discus- 5 Recommendations sion of it in our presentation as it nicely illustrates some of the state-tracking mechanisms FireWall-1 5.1 Non-reliance on NAT uses internally. When FireWall-1 sees the first SYN of an RSH or As mentioned above, FWZ encapsulation can be REXEC connection, it records the source address, used to send packets through the firewall that would source port, destination address, a magic number, otherwise be unroutable. This includes packets des- and the TCP sequence number + 1 into the pend- tined to addresses behind NAT or on RFC 1918 pri- ing table. It records this information so that it can vate networks. For instance, in FireWall-1’s default recognize the first packet of the connection that con- configuration, an attacker can access DNS servers tains data. When the first data packet of the RSH in the intranet or DMZ directly, due to the “allow connection is passed by the firewall, its entry in the all port 53” rule. If the ICMP “allow all” rule is 5
  • 6. enabled, an attacker can map any intranet or DMZ [CBHM99] S. Christey, D. Baker, W. Hill, D. subnets. Mann. “The Development of a Common NAT and non-routable addresses do not necessar- Vulnerabilities and Exposures List”. 2nd ily provide any inherent security. While FWZ en- International Workshop on Recent Ad- capsulation is specific to FireWall-1, similar attacks vances in Intrusion Detection, Septem- using other VPN encapsulation techniques may be ber 1999. more widely applicable – GRE, IP protocols re- served for IPsec, and even IPv6 tunnelling in IPv4 [Ha00] J. Hagino. “Possible Abuse Against [Ha00]. IPv6 Transition Technologies”. Inter- net Draft draft-itojun-ipv6-transition- abuse-00a.txt (work-in-progress), Inter- 5.2 Configuration net Engineering Task Force, March A few simple rules of thumb: 2000. 1. Be sure to run the latest version of FireWall-1 [Fy97] Fyodor, “The Art of Port Scanning”. possible. Phrack Magazine 7:51, article 11, September 1997. 2. Disable implicit rules, including those for DNS, administrative control connections, and ICMP. [Ha95] N. Haller. “The S/KEY One-Time Pass- word System”. RFC 1760, Internet En- 3. Be as specific as possible in defining rules – no gineering Task Force, February 1995. “any” source or destination IP addresses, deny multicast / broadcast addresses, etc. [ZRT95] G. Ziemba, D. Reed, P. Traina. “Secu- rity Considerations for IP Fragment Fil- 4. Enable IP spoofing protection on all interfaces. tering”. RFC 1858, Internet Engineering Task Force, October 1995. 5. Pre-filter IP protocol 94 (e.g. with IP Filter or some other mechanism). [PN98] T. Ptacek, T. Newsham. “Insertion, Evasion, and Denial of Service: Elud- 6. Separate virtual IP addresses for public ser- ing Network Intrusion Detection”. Se- vices. cure Networks, Inc., January 1998. 7. Use only FWA1 authentication for now. [Ro00] G. van Rooij. “Real Stateful TCP Packet Filtering in IP Filter”. 2nd In- 5.3 Patches ternational SANE Conference, March Check Point released patches to address these prob- 2000. lems in time for our presentation at the Black Hat Briefings. Current service packs, hotfixes, and alerts are available at: http://www.checkpoint.com/techsupport/ 6 Acknowledgments We would like to thank Check Point for their timely, thorough response to our independent security re- view, and for their exceptional professionalism in dealing with these issues. References [Be89] S. Bellovin, “Security Problems in the TCP/IP Protocol Suite”. Computer Communications Review 2:19, pp. 32- 48, April 1989. [Ch92] D. Brent Chapman. “Network (In)Security Through IP Packet Filtering”. 3rd USENIX Security Symposium, September 1992. 6