Chapter 23: Bypassing Firewalls

image from book  Download CD Content

Overview

Technologies of designing firewalls are evolving rapidly , and IT security specialists are not sleeping. Hacking becomes more difficult every day; however, hackers will never disappear. This is because other security holes replaced the filled ones. The keys in hacking are to be creative, experiment with firewalls, study existing and emerging standards, grind disassembled listings, and search, search, search instead of sitting still and doing nothing.

A firewall in the general sense is a set of systems ensuring an appropriate level of access restriction, achieved by controlling the incoming traffic on the basis of flexible criteria (rules). Briefly, the firewall passes only that part of traffic explicitly allowed by the administrator, and it blocks all other packets (Fig. 23.1).

image from book
Figure 23.1: Network nodes protected by firewalls are as safe as if protected by a brick wall

Two types of firewalls are dominating the market ” packet filters , also called packet filter gateways, and application proxy . The firewall product from Check Point is representative of the first type, and Microsoft Proxy Server is an example of an application proxy.

Packet filters are transparent for users and ensure high performance; however, they are not sufficiently reliable. Such firewalls are a kind of router receiving packets both from the outside and from the inside and deciding, which packet to pass and which packet to discard. If necessary, the packet filter informs the sender that the packet was discarded. Most firewalls of this type operate at the IP level, yet the level and quality of support for IP, as well as the filtering quality, remain far from perfect; therefore, the attacker can easily deceive the firewall. On home computers, such firewalls might be useful. However, if even a poor router is present in the protected network, such firewalls only raise the expenses without offering adequate compensation. Such rules of packet filtering can be easily configured on the router.

Software proxies are normal proxy servers listening to predefined ports (for example, ports 25, 110, and 80) and supporting communications with services included in the predetermined list. In contrast to filters that pass IP packets "as is," proxies assemble TCP packets on their own, cut user data from them, attach a new TCP header, and disassemble the resulting packet into IP packets, translating the address if necessary. If the firewall is bug-free, it is impossible to deceive it at the network level. In addition, it hides the structure of the internal network from the attacker, because only the firewall is visible from the outside. To achieve the highest possible level of protection, the administrator can organize additional authorization and authentication procedures at the firewall, which would pounce on the intruder at the far boundaries. These, certainly , are advantages.

Now, it is time to consider drawbacks. Software proxies are inconvenient because they limit users in their choice of applications (not all applications support operation using proxies). They operate considerably slower than packet filters and cause a noticeable performance drop ( especially on fast channels). Therefore, the main attention here will be paid to packet filters, leaving software proxies aside.

Firewalls of both types usually include a truncated version of the intrusion detection system , analyzing the nature of network requests and detecting potentially dangerous actions, such as attempts at accessing nonexistent ports (typical for port scanning), packets with a Time To Live (TTL) equal to one (typical for tracing), and so on. All these features considerably complicate the attack, and the hacker must proceed carefully , because every wrong move gives him or her away. However, the intellectual level of integrated intrusion-detection systems is low enough and most self-respecting administrators-delegate this task to specialized intrusion detection system software, such as Real Secure from Internet Security Systems.

Depending on the network configuration, the firewall might be installed on a standalone computer or share system resources with someone else. Personal fire-walls, popular in the Windows world, are in most cases installed directly on the protected computer. If this is an expertly designed and implemented packet filter, then the protection level of the system is practically the same as for the system protected by a dedicated firewall, and it is equally easy or difficult to attack because the system is protected by a dedicated firewall. Local software proxies protect computers only against certain types of attacks (for example, they can block uploading of Trojan components using Internet Explorer), leaving the system practically open in any other respect. In UNIX-like systems, packet filters are present by default, and the distribution set includes lots of proxy servers; therefore, the user doesn't need to purchase add-on software.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net