Docstoc

1 INFO1200 – Hardening the Infrastructure Firewall Manipulation

Document Sample
1 INFO1200 – Hardening the Infrastructure Firewall Manipulation Powered By Docstoc
					 INFO1200 – Hardening the Infrastructure

Firewall Manipulation: Attacks and Defenses
   Firewall Attack Methods
   Specific Firewall Attacks and Solutions
    •   Check Point Software
    •   Cisco PIX
    •   MS ISA Server
    •   NetScreen Firewall
    •   Novell BorderManager


                                              1
 INFO1200 – Hardening the Infrastructure

Firewall Attack Methods
  –   Three valid attack methods
       ●   Information Gathering
       ●   Denial of Service (DoS)
       ●   Remote System Compromise




                                           2
    INFO1200 – Hardening the Infrastructure

●   Attacking for Information
    –   One of the most pervasive types of attacks
    –   Attacker tries to cull info on victim's network
    –   Typical disclosure includes:
         ● Internal IP addressing schemes
         ● Network topologies


         ● Firewall rules and policies


    –   Does not provide foothold to compromise system
    –   All firewall vendors susceptible to this type of attack


                                                                  3
    INFO1200 – Hardening the Infrastructure

●   Denial of Service Attack
    –   Designed to disrupt network activity and business
        productivity by causing resources to be unavailable
    –   Provide little value wrt network reconnaissance
    –   Can be easily detected by firewall logging or IDS
    –   Can be achieved by
         ●   Buffer overflows
         ●   TCP SYN attacks
         ●   Flaws in Firewall application


                                                              4
    INFO1200 – Hardening the Infrastructure

●   Remote Firewall Compromise
    –   Rarest of the three types of attack
    –   Attacker gains access through firewall's GUI or command
        line interface
    –   Will allow attacker to make many possible mods
    –   Are perpetrated through flaws in Firewall app and not usually
        through flaws in underlying OS
    –   Will allow attacker to make mods to firewall rule base such
        as allowing all inbound and outbound traffic to his source IP
        address and disabling logging for rules
    –   Only real defense is host level IDS or other router & switch
        ACLs
                                                                        5
 INFO1200 – Hardening the Infrastructure

Specific Firewall Attacks and Solutions
  –   Most of these are DoS type of attacks
  –   Many examples in book for Firewalls are probably
      no longer an issue (ie. only covers up to 2004)
  –   Examples are instructive from the standpoint of
      providing info on the three types of attack




                                                         6
    INFO1200 – Hardening the Infrastructure

●   Check Point Software
    –   Attack
         ●   VPN-1/SecureClient ISAKMP Buffer Overflow
    –   Tools
         ●   None
    –   Defenses
         ●   Upgrade
         ●   Limit server IP Addresses of VPN Users



                                                         7
    INFO1200 – Hardening the Infrastructure

●   Check Point Software
    –   Attack
         ●   SecuRemote Internal Address Disclosure
    –   Tools
         ●   IRM's fwerun
         ●   Jim Becher's tool
    –   Defenses
         ●   Disable use of SecuRemote or VPN access
         ●   Update Firewall-1 to SP6 (Check Point NG not
             vulnerable)
                                                            8
    INFO1200 – Hardening the Infrastructure

●   Cisco PIX
    –   Attack
         ●   SNMPv3 DoS
    –   Tools
         ●   Any SNMP tools such as SolarWinds or Castle Rock's
             SNMPc
    –   Defenses
         ●   Disable SNMP server on PIX firewall
         ●   Define which IP addresses can connect using SNMP
         ●   Update to latest software revision
                                                                  9
    INFO1200 – Hardening the Infrastructure

●   Cisco PIX
    –   Attack
         ●   SSH DoS
    –   Tools
         ●   Rapid 7 Inc. - SSHredder + Netcat
    –   Defenses
         ●   Limit IP addresses which can connect using SSH through
             use of ACLs
         ●   Update PIX firewall


                                                                 10
    INFO1200 – Hardening the Infrastructure

●   Microsoft ISA Server
    –   Attack
         ●   Web proxy DoS
    –   Tools
         ●   repeat.c from secureXpert labs
         ●   Netcat with elongated URL
    –   Defenses
         ●   Apply MS hotfix MS01-021



                                              11
    INFO1200 – Hardening the Infrastructure

●   Microsoft ISA Server
    –   Attack
         ●   UDP Flood DoS
    –   Tools
         ●   Opentear from Security Office
    –   Defenses
         ●   Apply MS hotfix MS01-045
         ●   Use QoS and IDS on network



                                              12
    INFO1200 – Hardening the Infrastructure

●   NetScreen
    –   Attack
         ●   Management & TCP Option DoS
    –   Tools
         ●   Registry tweaks for TCP Options on Windows + telnet, IE
             or Netcat
    –   Defenses
         ●   Set allowable devices that can connect to management
             IP address
         ●   Disable Telnet and only use SSH
         ●   Upgrade to latest version of ScreenOS
                                                                    13
    INFO1200 – Hardening the Infrastructure

●   NetScreen
    –   Attack
         ●   Remote Reboot DoS
    –   Tools
         ●   Web browser to connect to WebUI + long username
    –   Defenses
         ●   Disable use of WebUI & only use SSH
         ●   Set allowable devices that can connect to management
             IP address
         ●   Upgrade to latest version of ScreenOS
                                                                    14
    INFO1200 – Hardening the Infrastructure

●   Novell BorderManager
    –   Attack
         ●   IP/IPX Gateway DoS
    –   Tools
         ●   Netcat with >2MB data file
    –   Defenses
         ●   Drop all TCP traffic to port 8225
         ●   Install BorderManager patch for version 3.6



                                                           15

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:11/12/2011
language:English
pages:15