SlideShare a Scribd company logo

ML13198A410.pdf

P
ParasPatel967737

This presentation provides an overview of firewalls and their limitations. It discusses how firewalls are designed to control data flows but have hardware, memory, time, and logic constraints. The presentation then demonstrates common attack techniques like impersonation and session hijacking that can bypass firewalls. It shows how easily available hacking tools allow attacks to be performed with little skill or effort. The key point is that while firewalls provide some security, a holistic security program is needed to fully prevent, detect, and respond to threats.

Devices & Hardware
1 of 26
Download to read offline
Firewall Presentation Firewall Presentation Mike Shinn Casey Priester
Disclaimer This presentation: • does not contain NRC official positions • is not guidance on how to configure firewalls • is an overview of firewalls and their • is an overview of firewalls and their limitations • is a demonstration of how attackers can bypass firewalls
What is a Firewall? Q: What is a firewall? A: A firewall is a computer. • A firewall has the following: - Two or more network cards - Processor, RAM, hard drive - Operating System 3 Q: What makes a firewall different from other computers? A: Very little. • Designed to analyze and filter data flows at its most basic level • May include additional logic to perform real-time contextual analysis of data flows • May include specialized networking hardware to aid in this task
What is a Firewall? Q: What is the purpose of a firewall? A: To control the flow of data between networks according to pre- defined rules • Packet Filtering (by port, by protocol, by source address, by destination address) • Stateful Inspection (can determine if a packet is part of an existing data flow) 4 existing data flow) • Other features include the following: -“Application Aware:” contains logic specific to common application (web, FTP, Secure Shell, etc.) - Quality of Service: Traffic prioritization and scheduling - Session Inspection: Can search a data flow for certain types of content
Firewall Limitations •A firewall cannot perform all security tasks – Hardware limitations – Memory and overhead limitations – Time limitations – Logic limitations – Encrypted traffic payloads are not visible – Firewalls do not typically do traffic normalization 5 • As a computer, a firewall can have vulnerabilities – CVE-2012-4661: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module – CVE-2012-5316: Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Spam & Virus Firewall 600 – ICSA-12-102-05: Siemens Scalance S Multiple Security Vulnerabilities
Firewall Limitations A firewall is only as good as its ruleset. 6 Source: Wool, Avishai. (2009). Firewall configuration errors revisited. Tel Aviv University School of Engineering. Retrieved from: http://arxiv.org/pdf/0911.1240v1.pdf
Typical Network Architecture • Business network acts as backbone • Firewall between business network (BN) and plant control network (PCN) • Firewall between PCN and plant network (PN) may or may not be in place 7 may not be in place
Typical Network Architecture Problems: • BN/PCN Firewall is configured to partially or completely trust BN • PCN/PN Firewall is configured to partially or completely trust PCN 8 completely trust PCN
Common Weaknesses to Model •Poorly configured firewalls (historical, political, or legacy technical reasons) - Passing Microsoft Windows networking packets - Passing remote services (rsh, rlogin) - PCN/PN having trusted hosts on the business LAN - Not providing outbound data rules 9 - Not providing outbound data rules • Peer links that bypass or route through external firewall direct to PCN or PN
Common Weaknesses to Model • IT controlled assets in the PCN or PN (communications links, replicated services) • Vendor links for remote maintenance/monitoring 10 • Out-of-band communications channels (backup links to RTUs)
• Passive Evasion - The victim “phones home” to the attacker 1. Phishing/spearphishing 2. Malicious website/drive-by infection 3. “Sneakernet” infection 4. Social Engineering Getting Inside the Trusted Network 11 4. Social Engineering • Indirect Evasion – Traffic appears to be authentic 1. Stolen remote access credentials 2. VPN piggyback 3. Session hijacking 4. Address spoofing (for internal zones)
Getting Inside the Trusted Network • Active Evasion 1. Attack exposed services (Web, E-mail) 2. Attack firewall vulnerabilites 3. Exploit weak ruleset/poor configuration 4. “Trick” or subvert the firewall logic with protocol manipulation 4. “Trick” or subvert the firewall logic with protocol manipulation (AET) 5. Find out-of-band channels (wireless, modems, satellite links) 6. Get physical access to firewall or other infrastructure 12
Case Study – Palo Alto Networks • Founded in 2005 by Checkpoint veteran • First firewall product developed in 2007 • First of the “Next Generation” firewalls1 13 • First of the “Next Generation” firewalls1 • Named leader in the 2011 Gartner “Magic Quadrant” report2 • At Defcon 19 (Dec 2011), Palo Alto firewall demonstrated to have fatal design flaw 1. Pescatore, J. & Young, G. (2009, October 19). Defining the Next-Generation Firewall. Gartner RAS Core Research Group. Retrieved from: http://img1.custompublish.com/getfile.php/1434855.1861.sqqycbrdwq/Defining+the+Next-Generation+Firewall.pdf, retrieved 2012-12-02 2. Denne, S. (2011, December 16). Palo Alto Networks hits the Magic Quadrant for firewalls. The Wall Street Journal. Retrieved from: http://blogs.wsj.com/venturecapital/2011/12/16/palo-alto-networks-hits-the-magic-quadrant-for-firewalls/ 3. Woodberg, B. (2011). Palo Alto Networks Security Bypass. Defcon 19. Retrieved from: http://www.youtube.com/watch?v=AuaCrRlIgnQ
Case Study – Palo Alto Networks Cache poisoning attack: • HTTP port open, SIP port blocked • Attacker generates large number of HTTP sessions • Memory cache fills, traffic no longer inspected • HTTP session re-established as SIP, bypassing filter 14 • HTTP session re-established as SIP, bypassing filter
Demonstration Attack Stage 1 – Desktop attack Attack Stage 2 – Impersonation Attack Attack Stage 3 – Session Hijack 15
Attack Stage 1– Desktop Attack Scenario 1: • Attacker crafts email message to employee - Looks very believable, may come from spoofed address of trusted source • Email contains link to compromised website 16 • Email contains link to compromised website Scenario 2: • Employee goes to trusted website, which has link to infected website, employees computer is infected without knowledge (watering hole attack)
Attack Stage 1– Desktop Attack Both Scenarios: • Zero-day exploits in desktop software (e.g. browsers, operating system, browser plugin) • Anti-virus/anti-malware measures will not detect if no signature available 17 • IDS/IPS will not detect if no signature available or if connection is encrypted • Payload deploys rootkit or Remote Access Toolkit (RAT) • Payload initiates outbound connection over SSL/TLS or other encrypted protocol to bypass IDS/IPS/firewall inspection measures • Attacker now has full control over employee’s system and can attack local servers
Attack Stage 2 – Impersonation Attack Scenario: • No connections are allowed thru firewall from PCN to BN • Firewall is configured as “one way” • Server A, behind the firewall, sends a requests for data to 18 • Server A, behind the firewall, sends a requests for data to Server B • Server B cannot talk to Server A
TCP “Handshake” Listening Store data A B Once established, all TCP connections are bi- directional. Attacks can flow back to clients! Wait Connected
Attack Stage 2 Buffer Overflow • A buffer overflow occurs when attacker sends data that cannot be adequately handled by the victim program -Unexpected value -Value out-of-bounds -Memory violation 20 • Attack packet contains executable instructions to request victim open a shell prompt • The original session has not terminated
Attack Stage 3 – Session Hijack Scenario: • Victim is logged into CDA/CS, through the firewall • Telnet connection is allowed from Victim to ICS • No other hosts are allowed to connect thru 21 • No other hosts are allowed to connect thru firewall to ICS • Telnet Connection is authenticated
Blind TCP Session Hijacking Target • Victim, target trusted authenticated connection - Packets will have predictable sequence numbers • Attacker impersonates victim to target 22 Victim Attacker to target - Opens connection to target to get initial seq number - Fills victim’s receive queue - Sends packets to target that resemble victim’s transmission - Attacker cannot receive, but may execute commands on target
Attack Stage 3 – Session Hijack • Attacker listens to unencrypted session • Attacker uses probes to determine sequence numbers • Attacker sends spoofed identity packets to ICS while performing Denial of Service on Victim • Attacker sends shutdown command to ICS 23
How Easy are These Attacks? • Numerous RAT/trojan toolkits available on underground market – Push-button ease of use – Exploits as a Service (EaaS) becoming viable business model1,2 • Buffer overflow attack methodologies have been well- known and well-documented for many years known and well-documented for many years – “Smashing the Stack for Fun and Profit” by AlephOne, Phrack magazine,1996 • Session hijacking is one of the oldest attack methods on the Internet – Kevin Mitnick “man-in-the-middle” attack, 1994 1. Grier, Ballard, Caballero, et. al. (2012). Manufacturing Compromise: The Emergence of Exploit-as-a-Service. 19th ACM Conference on Computer and Communications Security. Retrieved from http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2. Asprey, D. (2011). New type of cloud emerges: Exploits as a Service (EaaS). TrendMicro Security. Retrieved from http://cloud.trendmicro.com/new-type-of-cloud-emerges-exploits-as-a-service-eaas/ 24
How Easy are These Attacks? •Free, easily available hacking tools and toolkits can perform some or all firewall bypass attack types: -Metaploit Framework -Cain and Abel -Firesheep -Firesheep -LOIC -Evader -Backtrack Live CD -Nmap -Ettercap 25
Firewall Limitations •Firewall technology is not one way (non-deterministic, not application-fluent) •Firewalls can be bypassed in many ways •Firewalls have their own vulnerabilities •Effective Security Programs must do the following: -Prevent -Detect -Delay -Deny -Deter -Respond -Recover • Firewalls cannot do all of these things alone 26

Recommended

Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
BhushanLokhande12
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
Divyanshu93112
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Day4
Day4Day4
Day4
Jai4uk
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 

Recommended

Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
BhushanLokhande12
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
Divyanshu93112
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Day4
Day4Day4
Day4
Jai4uk
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
MLG College of Learning, Inc
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Major presentation
Major presentationMajor presentation
Major presentation
ashishg251
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
MLG College of Learning, Inc
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
Firewall
Firewall Firewall
Firewall
Amuthavalli Nachiyar
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewalls
Kumar
 
Firewalls
FirewallsFirewalls
Firewalls
Shreya Singireddy
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
Jainam Shah
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Firewall
FirewallFirewall
Firewall
Tapan Khilar
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
sayyed azam
 
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
eydeofo
 
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
2g3om49r
 

More Related Content

Similar to ML13198A410.pdf

25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
MLG College of Learning, Inc
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Major presentation
Major presentationMajor presentation
Major presentation
ashishg251
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
MLG College of Learning, Inc
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
Firewall
Firewall Firewall
Firewall
Amuthavalli Nachiyar
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewalls
Kumar
 
Firewalls
FirewallsFirewalls
Firewalls
Shreya Singireddy
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
Jainam Shah
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Firewall
FirewallFirewall
Firewall
Tapan Khilar
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
sayyed azam
 

Similar to ML13198A410.pdf (20)

25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
 
Seminar
SeminarSeminar
Seminar
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Major presentation
Major presentationMajor presentation
Major presentation
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Firewall
Firewall Firewall
Firewall
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewalls
 
Firewalls
FirewallsFirewalls
Firewalls
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall
FirewallFirewall
Firewall
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
 

Recently uploaded

一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
eydeofo
 
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
2g3om49r
 
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
xuqdabu
 
Production.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd ddddddddddddddddddddddddddddddddddProduction.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd dddddddddddddddddddddddddddddddddd
DanielOliver74
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
nudduv
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
xuqdabu
 
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
terpt4iu
 
SOLIDWORKS 2024 Enhancements eBook.pdf for beginners
SOLIDWORKS 2024 Enhancements eBook.pdf for beginnersSOLIDWORKS 2024 Enhancements eBook.pdf for beginners
SOLIDWORKS 2024 Enhancements eBook.pdf for beginners
SethiLilu
 
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
terpt4iu
 
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
yizxn4sx
 
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
xuqdabu
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
xuqdabu
 
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
byfazef
 
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
zpc0z12
 
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
uyesp1a
 
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
kuehcub
 
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
snfdnzl7
 
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
nudduv
 
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
1jtj7yul
 
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
uwoso
 

Recently uploaded (20)

一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
一比一原版(UOL文凭证书)利物浦大学毕业证如何办理
 
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
1比1复刻澳洲皇家墨尔本理工大学毕业证本科学位原版一模一样
 
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
一比一原版(Monash文凭证书)莫纳什大学毕业证如何办理
 
Production.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd ddddddddddddddddddddddddddddddddddProduction.pptxd dddddddddddddddddddddddddddddddddd
Production.pptxd dddddddddddddddddddddddddddddddddd
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
 
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide文凭证书)阿德莱德大学毕业证如何办理
 
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
按照学校原版(KCL文凭证书)伦敦国王学院毕业证快速办理
 
SOLIDWORKS 2024 Enhancements eBook.pdf for beginners
SOLIDWORKS 2024 Enhancements eBook.pdf for beginnersSOLIDWORKS 2024 Enhancements eBook.pdf for beginners
SOLIDWORKS 2024 Enhancements eBook.pdf for beginners
 
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
按照学校原版(Adelaide文凭证书)阿德莱德大学毕业证快速办理
 
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
按照学校原版(Greenwich文凭证书)格林威治大学毕业证快速办理
 
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
一比一原版(UQ文凭证书)昆士兰大学毕业证如何办理
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
一比一原版(Greenwich文凭证书)格林威治大学毕业证如何办理
 
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
按照学校原版(UST文凭证书)圣托马斯大学毕业证快速办理
 
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
按照学校原版(Columbia文凭证书)哥伦比亚大学毕业证快速办理
 
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
一比一原版(KCL文凭证书)伦敦国王学院毕业证如何办理
 
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
按照学校原版(USD文凭证书)圣地亚哥大学毕业证快速办理
 
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
一比一原版(ANU文凭证书)澳大利亚国立大学毕业证如何办理
 
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
按照学校原版(UVic文凭证书)维多利亚大学毕业证快速办理
 
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
按照学校原版(UPenn文凭证书)宾夕法尼亚大学毕业证快速办理
 

ML13198A410.pdf

  • 2. Disclaimer This presentation: • does not contain NRC official positions • is not guidance on how to configure firewalls • is an overview of firewalls and their • is an overview of firewalls and their limitations • is a demonstration of how attackers can bypass firewalls
  • 3. What is a Firewall? Q: What is a firewall? A: A firewall is a computer. • A firewall has the following: - Two or more network cards - Processor, RAM, hard drive - Operating System 3 Q: What makes a firewall different from other computers? A: Very little. • Designed to analyze and filter data flows at its most basic level • May include additional logic to perform real-time contextual analysis of data flows • May include specialized networking hardware to aid in this task
  • 4. What is a Firewall? Q: What is the purpose of a firewall? A: To control the flow of data between networks according to pre- defined rules • Packet Filtering (by port, by protocol, by source address, by destination address) • Stateful Inspection (can determine if a packet is part of an existing data flow) 4 existing data flow) • Other features include the following: -“Application Aware:” contains logic specific to common application (web, FTP, Secure Shell, etc.) - Quality of Service: Traffic prioritization and scheduling - Session Inspection: Can search a data flow for certain types of content
  • 5. Firewall Limitations •A firewall cannot perform all security tasks – Hardware limitations – Memory and overhead limitations – Time limitations – Logic limitations – Encrypted traffic payloads are not visible – Firewalls do not typically do traffic normalization 5 • As a computer, a firewall can have vulnerabilities – CVE-2012-4661: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module – CVE-2012-5316: Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Spam & Virus Firewall 600 – ICSA-12-102-05: Siemens Scalance S Multiple Security Vulnerabilities
  • 6. Firewall Limitations A firewall is only as good as its ruleset. 6 Source: Wool, Avishai. (2009). Firewall configuration errors revisited. Tel Aviv University School of Engineering. Retrieved from: http://arxiv.org/pdf/0911.1240v1.pdf
  • 7. Typical Network Architecture • Business network acts as backbone • Firewall between business network (BN) and plant control network (PCN) • Firewall between PCN and plant network (PN) may or may not be in place 7 may not be in place
  • 8. Typical Network Architecture Problems: • BN/PCN Firewall is configured to partially or completely trust BN • PCN/PN Firewall is configured to partially or completely trust PCN 8 completely trust PCN
  • 9. Common Weaknesses to Model •Poorly configured firewalls (historical, political, or legacy technical reasons) - Passing Microsoft Windows networking packets - Passing remote services (rsh, rlogin) - PCN/PN having trusted hosts on the business LAN - Not providing outbound data rules 9 - Not providing outbound data rules • Peer links that bypass or route through external firewall direct to PCN or PN
  • 10. Common Weaknesses to Model • IT controlled assets in the PCN or PN (communications links, replicated services) • Vendor links for remote maintenance/monitoring 10 • Out-of-band communications channels (backup links to RTUs)
  • 11. • Passive Evasion - The victim “phones home” to the attacker 1. Phishing/spearphishing 2. Malicious website/drive-by infection 3. “Sneakernet” infection 4. Social Engineering Getting Inside the Trusted Network 11 4. Social Engineering • Indirect Evasion – Traffic appears to be authentic 1. Stolen remote access credentials 2. VPN piggyback 3. Session hijacking 4. Address spoofing (for internal zones)
  • 12. Getting Inside the Trusted Network • Active Evasion 1. Attack exposed services (Web, E-mail) 2. Attack firewall vulnerabilites 3. Exploit weak ruleset/poor configuration 4. “Trick” or subvert the firewall logic with protocol manipulation 4. “Trick” or subvert the firewall logic with protocol manipulation (AET) 5. Find out-of-band channels (wireless, modems, satellite links) 6. Get physical access to firewall or other infrastructure 12
  • 13. Case Study – Palo Alto Networks • Founded in 2005 by Checkpoint veteran • First firewall product developed in 2007 • First of the “Next Generation” firewalls1 13 • First of the “Next Generation” firewalls1 • Named leader in the 2011 Gartner “Magic Quadrant” report2 • At Defcon 19 (Dec 2011), Palo Alto firewall demonstrated to have fatal design flaw 1. Pescatore, J. & Young, G. (2009, October 19). Defining the Next-Generation Firewall. Gartner RAS Core Research Group. Retrieved from: http://img1.custompublish.com/getfile.php/1434855.1861.sqqycbrdwq/Defining+the+Next-Generation+Firewall.pdf, retrieved 2012-12-02 2. Denne, S. (2011, December 16). Palo Alto Networks hits the Magic Quadrant for firewalls. The Wall Street Journal. Retrieved from: http://blogs.wsj.com/venturecapital/2011/12/16/palo-alto-networks-hits-the-magic-quadrant-for-firewalls/ 3. Woodberg, B. (2011). Palo Alto Networks Security Bypass. Defcon 19. Retrieved from: http://www.youtube.com/watch?v=AuaCrRlIgnQ
  • 14. Case Study – Palo Alto Networks Cache poisoning attack: • HTTP port open, SIP port blocked • Attacker generates large number of HTTP sessions • Memory cache fills, traffic no longer inspected • HTTP session re-established as SIP, bypassing filter 14 • HTTP session re-established as SIP, bypassing filter
  • 15. Demonstration Attack Stage 1 – Desktop attack Attack Stage 2 – Impersonation Attack Attack Stage 3 – Session Hijack 15
  • 16. Attack Stage 1– Desktop Attack Scenario 1: • Attacker crafts email message to employee - Looks very believable, may come from spoofed address of trusted source • Email contains link to compromised website 16 • Email contains link to compromised website Scenario 2: • Employee goes to trusted website, which has link to infected website, employees computer is infected without knowledge (watering hole attack)
  • 17. Attack Stage 1– Desktop Attack Both Scenarios: • Zero-day exploits in desktop software (e.g. browsers, operating system, browser plugin) • Anti-virus/anti-malware measures will not detect if no signature available 17 • IDS/IPS will not detect if no signature available or if connection is encrypted • Payload deploys rootkit or Remote Access Toolkit (RAT) • Payload initiates outbound connection over SSL/TLS or other encrypted protocol to bypass IDS/IPS/firewall inspection measures • Attacker now has full control over employee’s system and can attack local servers
  • 18. Attack Stage 2 – Impersonation Attack Scenario: • No connections are allowed thru firewall from PCN to BN • Firewall is configured as “one way” • Server A, behind the firewall, sends a requests for data to 18 • Server A, behind the firewall, sends a requests for data to Server B • Server B cannot talk to Server A
  • 19. TCP “Handshake” Listening Store data A B Once established, all TCP connections are bi- directional. Attacks can flow back to clients! Wait Connected
  • 20. Attack Stage 2 Buffer Overflow • A buffer overflow occurs when attacker sends data that cannot be adequately handled by the victim program -Unexpected value -Value out-of-bounds -Memory violation 20 • Attack packet contains executable instructions to request victim open a shell prompt • The original session has not terminated
  • 21. Attack Stage 3 – Session Hijack Scenario: • Victim is logged into CDA/CS, through the firewall • Telnet connection is allowed from Victim to ICS • No other hosts are allowed to connect thru 21 • No other hosts are allowed to connect thru firewall to ICS • Telnet Connection is authenticated
  • 22. Blind TCP Session Hijacking Target • Victim, target trusted authenticated connection - Packets will have predictable sequence numbers • Attacker impersonates victim to target 22 Victim Attacker to target - Opens connection to target to get initial seq number - Fills victim’s receive queue - Sends packets to target that resemble victim’s transmission - Attacker cannot receive, but may execute commands on target
  • 23. Attack Stage 3 – Session Hijack • Attacker listens to unencrypted session • Attacker uses probes to determine sequence numbers • Attacker sends spoofed identity packets to ICS while performing Denial of Service on Victim • Attacker sends shutdown command to ICS 23
  • 24. How Easy are These Attacks? • Numerous RAT/trojan toolkits available on underground market – Push-button ease of use – Exploits as a Service (EaaS) becoming viable business model1,2 • Buffer overflow attack methodologies have been well- known and well-documented for many years known and well-documented for many years – “Smashing the Stack for Fun and Profit” by AlephOne, Phrack magazine,1996 • Session hijacking is one of the oldest attack methods on the Internet – Kevin Mitnick “man-in-the-middle” attack, 1994 1. Grier, Ballard, Caballero, et. al. (2012). Manufacturing Compromise: The Emergence of Exploit-as-a-Service. 19th ACM Conference on Computer and Communications Security. Retrieved from http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2. Asprey, D. (2011). New type of cloud emerges: Exploits as a Service (EaaS). TrendMicro Security. Retrieved from http://cloud.trendmicro.com/new-type-of-cloud-emerges-exploits-as-a-service-eaas/ 24
  • 25. How Easy are These Attacks? •Free, easily available hacking tools and toolkits can perform some or all firewall bypass attack types: -Metaploit Framework -Cain and Abel -Firesheep -Firesheep -LOIC -Evader -Backtrack Live CD -Nmap -Ettercap 25
  • 26. Firewall Limitations •Firewall technology is not one way (non-deterministic, not application-fluent) •Firewalls can be bypassed in many ways •Firewalls have their own vulnerabilities •Effective Security Programs must do the following: -Prevent -Detect -Delay -Deny -Deter -Respond -Recover • Firewalls cannot do all of these things alone 26