le firewall
by Black Ice
Firewalls can stand between you and your destination.
This doesn't mean that they always stop you from getting there, but they are watching you. I don't know many people who like to be watched, so here is some information about (((Check Point's))) FireWall-1 3.0b product, running on Solaris 2.5.1 with the latest patches. This is not a comprehensive article on Check Point, just some information you may enjoy.
My ISP uses a firewall between it and the Internet. This isn't revolutionary, except that is makes my 42 kbps connection as slow as 28.8 kbps! This is because it is checking every packet that goes in and out of the ISP. You would figure that they would at least put the news feed somewhere else!
Check Point's FW-1 does what is called "Stateful Inspection." FW-1 checks every packet against a rule-set that the FW-1 admin creates. The firewall can then accept, reject, encrypt, authenticate, or drop the packets according to the rule-set. The rules are based on, Source Address, Destination Address, Service (i.e.: HTTP, ICMP, DNS, NNTP, etc), Action (Reject, Drop, Accept), Logging Level (None, Short, Long, Alert, Mail, etc), and Time.
The FW-1 admin creates these rules to pertain to the level of security that is required. For example, if they only allow HTTP traffic from the "external network" to an internal host, Host A, then the rule-set would look something like Figure 1.
Figure 1: Sample Rule-Set
This allows only HTTP traffic to Host A from the external network. FW-1 will drop any other packets from the external network, causing a timeout. All rules are based on IP addresses. These addresses have a slew of associated properties, one being a name for easier readability.
FW-1 also does Network Address Translation (NAT). With NATs you can hide the internal structure of your network from the outside world. This is very handy for corporations that have everyone surfing the web for "business purposes." Each user's IP address could be seen and a decent network map detailed from this information. With NATs the actual IP address behind the firewall is translated to another via rules. This is then the address that is propagated across the Internet. Now if someone sees this address and tries to attach to the network from the outside, the firewall will just drop the packet because the ARP request for that machine's MAC address will not exist.
Not all firewalls are created equal, and they all have their own bugs and problems. FW-1 does come with some proxies, such as telnetd and httpd, but it is not known as a proxy firewall.
So what's the magic cookie to get around these firewalls? It's the same as most everything else, human error. Here's a quick list of things you want to look at:
1.) Easily hacked services such as Sendmail, Finger, etc., may still be left on the firewall. If you can break into the firewall machine jackpot. Rules are held in /etc/fw/conf by default.
2.) People do maintenance of the firewall that may leave the internal network susceptible for periods of time.
3.) It is very easy to create non-secure rule-sets that don't do what the creator wanted.
4.) There's sometimes a backdoor. They may have the Internet locked tight, but the company's dial-in modems are open season.
5.) Current patches aren't applied and lame attacks such as LAND will work.
6.) The external router isn't protected.
7.) Java/ActiveX attacks - as most firewalls pass this through and don't check.
8.) Yada yada yada.
Most good firewall rules have a rule, which states that the firewall will drop and log all packets sent specifically to it. This is good because there should be no attempt to send packets directly to the firewall. This is a good indication that a box is a firewall if you know it exists. There are two ways to do this.
Drop and Reject. Drop will just drop the packet and you will have to wait for your client to timeout. Whereas a reject may send a rejected packet back, depending on the protocol.
So you think to yourself all I have to do is find an open service and execute an Overlapping Fragment attack. The people who design firewalls are smart. I'll exit with this reasoning and implementation from FW-1.
Routers are often vulnerable to the Overlapping Fragments attack. In normal operation, the router passes the first fragment of a packet because it is allowed by the Access-Control List (ACL). The router then passes the second fragment, as it routinely passes all non-first fragments.
However, in an Overlapping Fragments attack, an intrusive fragment overwrites the end of the first fragment, resulting in the acceptance of a packet that should have been rejected by the ACL.
FireWall-1 prevents such attacks through a process we call "virtual defragmentation." In this case, the firewall only passes a fragment after it has internally reconstructed the full original packet. The FW-1 Inspection Engine only sees the full packet data - the same data that would be seen if the packet weren't fragmented. Using this scheme, no overlapping of fragments is permitted by the FW-1.