Section 8.6 Firewall Vulnerabilities

   


8.6 Firewall Vulnerabilities

graphics/fivedangerlevel.gif

Firewalls are a great way not to trust computers. As with firewalls in automobiles and light aircraft (where the term originated), it is imperative to thoroughly understand and respect their use and limitations to avoid getting burned. All but the most sophisticated firewalls just look at the source and destination IP addresses and port numbers and see whether the rules allow the packet to pass. They do not protect against the following attacks.

  1. Attacks from within

    This is when someone with access to internal systems, usually a disgruntled or recently fired employee, initiates an attack. Most organizations have no defense planned to protect from this.

    The FBI claims that more than 80 percent of all computer intrusions are from within. See "General Policy" on page 336, "Accounts Policy" on page 338, and "Intracompany Firewalls to Contain Fires" on page 84 for defenses.


  2. End runs and tunneling

    This is where an intruder gets past the firewall and then "has his way" with your systems, because most sites have not planned for this. He does this either with an end run around a firewall or by tunneling through a firewall. These problems are so scary and hard to limit that most SysAdmins ignore them and hope that they do not happen. Realistically, all it takes is someone connecting a modem to her desktop system to completely defeat the firewall. When she connects to her ISP with PPP, a cracker can compromise her system and then get onto the corporate network and take over the entire network.

    See "Stopping End Runs Around Firewalls" on page 74, "Tunneling Through Firewalls" on page 77, and "Laptop Policy" on page 345 for defenses. These chapters are must reading because these important problems are not addressed at many sites.


    Another likely end run is via a laptop's modem. Virus-laden floppies and CD-ROMS are another means. Even disabling the Ethernet interface during the time that the PPP interface was operating will not prevent a smart cracker from leaving a "time bomb" in a compromised system that will take over the Ethernet when it is reconnected. Heck, if he owns the system anyway he simply would re-enable the Ethernet interface.

    Because intrusions from within are not anticipated and guarded against by most SysAdmins, the intruder will find "easy pickings."

  3. Content-based attacks

    These include malevolent mail attachments containing Windows programs, Microsoft Word macros, and evil Web pages. This is a concern for Linux, both because Linux is a popular (and excellent) firewall platform and mail server and because programs to emulate Windows behavior are available for Linux. These programs include Star Office and VMware. They are vulnerable to some Windows attacks, as are dual boot systems. The latter allow you to boot different operating systems, not all of which enjoy Linux's security. See "Physical Actions" on page 125 for protection against the latter, and accept that while a dual boot system is running a different operating system, your system security is limited by the security of the running operating system.

    There are stateful firewalls available for Linux, and they are cataloged in "Stateful Firewalls" on page 540.


    Also included in content-based attacks are the attacks where important daemons and applications are compromised with buffer overflows or other bad data. There are several content analysis tools that can be of help. One is Snort, which operates in real time and can log to syslogd and to a separate file. Snort is an excellent real-time IDS. Its use is recommended. I know of one company that built its business around this product. It may be downloaded from

    www.snort.org/

    Another is SARA, available at

    www-arc.com/sara/

    A third is SHADOW, a near real-time analyzer developed by the U.S. government and popular among the military and intelligence operatives. It is available at

    www.nswc.navy.mil/ISSEC/CID/

  4. Address spoofing attacks

    Any decent properly configured firewall will detect a packet originating from outside the agency, spoofing (claiming to be from) an address of an inside machine and vice versa and drop it. However, it cannot determine whether a packet came from the particular outside system that it claims to hail from. In other words, when a firewall receives a packet from outside system A, it cannot tell whether it really came from A or another outside system B. Address spoofing of UDP packets is trivial, which is one reason NFS is generally considered to be insecure. Some spoofing of TCP can be done too.

    SSH is a popular solution because it cannot be spoofed; this is discussed in "Protecting User Sessions with SSH" on page 409. Virtual Private Networks are a more general solution than standard SSH usage and they are addressed in "VPN Using FreeS/WAN IPSec" on page 428 and "VPN Using SSH, PPP, and Perl" on page 426.


    These newer versions of SSH have been very thoroughly scrutinized and should be thoroughly trusted as the best solution available next to nonnetworked systems in locked rooms.

  5. DoS attacks

    The attacker can flood your firewall with more traffic than it can handle and "bury" legitimate packets. The attacker can monopolize your sendmail or Web daemons so that legitimate e-mail or HTTP traffic cannot get a connection to the server because it is too busy talking with the attacker. The attacker can fill up your disk space with spam.

    Another type of DoS attack is the SYN flood attack, where the attacker fails to complete the TCP three-way (three packet) open sequence. The server will dedicate limited resources to complete this open (which never completes). This attack is discussed in detail in "SYN Flood Attack Explained" on page 245 and "Defeating SYN Flood Attacks" on page 245. There might be other protocol level attacks available by sending various improper packets. Also, there are IP-level attacks, many based on improper packet fragmentation or construction.

    The Ping of Death is one such attack. Like the SYN flood attack, modern Linux kernels are immune to the Ping of Death, but a Linux firewall or router may convey the attack to its intended victim, a less fortunate system. DoS attacks and some defenses are discussed throughout the book.

    The best way to stop an ordinary DoS, one that is not a DDoS, is to contact the SysAdmins at the offending site or its upstream provider and have them stop or block the attack. The chapters starting with Chapter 20 (see "Tracing a Numeric IP Address with nslookup" on page 707) discuss this. Alternatively, you should be able to get your upstream provider to block these packets. The only way to stop a DDoS is to trace each sending system, one by one, and get each attack stopped.

    I have concerns about some of the recent claims by some firewall vendors that they can stop DoS attacks (except SYN flood and the like that Linux already handles). If someone can use up your communications bandwidth with junk packets, there is no magic cure. Perhaps in the near future there will be extensions to ICMP so that a system can say "block future packets from IP a.b.c.d until I say they are acceptable again" to resolve the problem.


  6. Misplaced services attacks

    Vulnerable services available from the Internet should be provided by systems in the DMZ, as discussed in "Intracompany Firewalls to Contain Fires" on page 84 and "Firewalls with IP Chains and DMZ" on page 514. They are those services that have a higher likelihood than most to be cracked. They include many Web server configurations, externally accessible DNS, sendmail, etc. There should be no general access from the Internet to systems inside the firewall (except those in the DMZ). Usually, only SSH, VPN, or similar access should be permitted to inside systems from the Internet. (If certain inside systems have a properly configured and up-to-date sendmail daemon and kernel, some sites may want to allow e-mail to them.)

  7. Configuration error attacks

    "We have a firewall so we are safe" is a complacent and, therefore, dangerous attitude. Analyze any change to the firewall configuration carefully. Review its configuration periodically. Keep its software up-to-date, regardless of the platform, and ensure that it is a secure platform.


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net