How to bypass the firewall Guo, Pei November 06, 2006

How to bypass the firewall
Guo, Pei
November 06, 2006

Why do we need the firewall ?

What is the firewall ?

How to bypass the firewall ?
Seminar "Computer Security"
November 06, 2006
2
Part I
Why do we need the firewall ?
Seminar "Computer Security"
November 06, 2006
3
Why do we need the firewall ?
 The internet is only research-oriented when it occurs and its
communication protocols were designed for a more benign and
safe environment than now.
 There have had over one million computer networks and well over
one billion users by the end of the last century, but the internet is
twisted steadily from the initial one and its environment is much
less trustworthy. It contains all the dangerous situations, nasty
people, and risks that we can find in the true-life society as a whole.
 When a network is connected to the outside, the communication
between them are bi-directional. Therefore, it is very important for
the users to protect their local system from the spiteful attack from
the outside.
Seminar "Computer Security"
November 06, 2006
4
Part II
What is the firewall ?
Seminar "Computer Security"
November 06, 2006
5
Terminology of the firewall
 In our common sense, the term "fire wall"
originally meant, and still means, a fireproof
wall intended to prevent the spread of fire from
one room or area of a building to another.
 In computer science, the term “fire wall” is a
kind of gateway that restricts and controls the
flow of traffic between networks, typically
between an internal network and the Internet. It
is inserted between your network and the
outside network to build up a controlled link
and an outer security wall.
Seminar "Computer Security"
November 06, 2006
6
Characteristics of the firewall
 All the traffics between the inside and outside network must pass
through and be checked by the firewall.
 Only authorized traffics, as defined in the local security policy, are
allowed to pass the firewall.
 The firewall itself is immune to penetration.
Seminar "Computer Security"
November 06, 2006
7
Capabilities of the firewall
 A firewall should keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or
leaving the network, and provides protection from various kinds of
IP spoofing and routing attacks.
 A firewall should provide a location for monitoring, auditing and
alarming security-related events.
 A firewall should be a convenient platform for some Internet functions
that are not security related. These included a network address
translator, which maps local address to Internet address, and a network
management function that audits or logs Internet usage.
Seminar "Computer Security"
November 06, 2006
8
Limitations of the firewall
 The firewall can NOT protect against these attacks that bypass the firewall.
 The firewall can NOT protect against the internal threats.
 The firewall can NOT protect against the transfer of virus-infected
programs or files.
Seminar "Computer Security"
November 06, 2006
9
Generations of the firewall
 The technology of firewall is presented in the late 1980s when the
Internet still was a fairly new technology in terms of its global use and
connectivity.
 Generations:
- Packet filtering: the first paper on it published in 1988
- Stateful inspection: in early 1990s
- Circuit-level gateway: 1980 - 1990
- Application-level gateway: in 1990s
- Other generations: Any or all of the above can be combined
Seminar "Computer Security"
November 06, 2006
10
Some knowledge related to the firewall
 OSI model:
Seminar "Computer Security"
November 06, 2006
11
The common types of the firewall
Type 1: Packet-filtering router
 Network layer firewall
 Original and the most basic firewall
 Control the flow of data by the information
in the packet header:
Private
network
- Source Address
- Destination Address
- Protocol used for transferring the data
 Direct connection between the internal network and outside network
Seminar "Computer Security"
November 06, 2006
12
The common types of the firewall
Type 1: Packet-filtering router
 PROS:
- Transparency and high performance
- Easy implementation and maintain
- Application Independence
 CONS:
- Low security
- No screening above network layer
(No 'state' or application-context information)
Seminar "Computer Security"
November 06, 2006
13
The common types of the firewall
Type 2: Stateful inspection
 Also knows as dynamic packet filtering
 Adds stateful inspection modules between
the data-link layer and network layer
Private
network
 Extracts some state-related
information required for security
decisions from the application layers and maintains this
information in dynamic state tables for evaluating subsequent
connection attempts.
 Direct connection between the inside and outside network
Seminar "Computer Security"
November 06, 2006
14
The common types of the firewall
Type 2: Stateful inspection
 PROS:
- Higher security than packet filtering router
- Extensibility, transparency and high performance
 CONS:
- No application level security is provided
- Do not look at the packets as close as application-level gateway
Seminar "Computer Security"
November 06, 2006
15
The common types of the firewall
Type 3: Circuit-level gateway
 Transport layer firewall
 Creates a circuit (connection)
Private
network
between the internal host and
the outside server by acting as
an agent without interpreting the application level information
 More like a packet filter with the ability to hide the client
Seminar "Computer Security"
November 06, 2006
16
The common types of the firewall
Type 3: Circuit-level gateway
 PROS:
- Higher security than packet filtering router
- Higher performance than application-level gateway
- Can be implemented with a large number of protocols as no need
to comprehend the information at the protocol level
 CONS:
- Once a connection is established it is always possible to send
malicious data in the packets.
Seminar "Computer Security"
November 06, 2006
17
The common types of the firewall
Type 4: Application-level gateway
 Application layer firewall
 Performs all the basic functions of the circuit-level
gateway with better traffic monitoring
 Comprehend information at
Private
network
the higher levels in the TCP/IP stack
up to the application layer
 Not allow direct connections between an internal host and an
external server under any circumstances
Seminar "Computer Security"
November 06, 2006
18
The common types of the firewall
Type 4: Application-level gateway
 PROS:
- Good security
- Full application-layer awareness
 CONS:
- Poor Performance
- Limited Application Support
- Poor Scalability (Breaks client/server model)
Seminar "Computer Security"
November 06, 2006
19
Part III
How to bypass the firewall ?
Seminar "Computer Security"
November 06, 2006
20
How to bypass the firewall ?
 “Legal” ways:
- IP address spoofing
- Source routing
- Tiny fragments
 “Illegal” ways:
- Rootkit
- Trojan
Seminar "Computer Security"
November 06, 2006
21
Terminology of IP address spoofing
IP address spoofing can be defined as an intentional misrepresentation of
the source IP address in an IP packet in order to conceal the identity of
the sender or to impersonate another computing system. In IP address
spoofing, the user gains unauthorized access to a computer or a network
by making it appear that the message comes from a trusted machine by
“spoofing” the IP address of that machine.
Seminar "Computer Security"
November 06, 2006
22
Theory of IP address spoofing
 Internet protocol (IP) is a network protocol operating at network layer
of the OSI model. It is a connectionless model, meaning there is no
information regarding transaction state, which is used to route packets
on a network. The basic unit of data transfer in a packet network is
called an IP packet.
 IP packet header:
Seminar "Computer Security"
November 06, 2006
23
Theory of IP address spoofing
 Transmission control protocol (TCP) is operating at transport layer
of the OSI model. Unlike IP, TCP uses a connection-oriented design.
It means that the users in a TCP session must build a connection - via
the 3-way handshake (SYN-SYN/ACK-ACK).
 TCP packet header:
Seminar "Computer Security"
November 06, 2006
24
Theory of IP address spoofing
 The TCP/IP protocol suite uses numeric identifiers called IP addresses
to uniquely identify computers on a network.
 Because some systems rely on source IP addresses as a means of
authentication. Access to a system or services provided by a system
is decided based on the claimed source IP address contained in the
packet. Using some kinds of tools, the users can easily modify these
addresses, specifically the “source address” field, to make them to
bypass the firewall.
Seminar "Computer Security"
November 06, 2006
25
Theory of IP address spoofing
A impersonates C (trusted machine) to spoof B:
B
A
C:
Seminar "Computer Security"
November 06, 2006
26
Terminology of source routing
Source routing is a technique that the sender of a packet can specify the
route that a packet should take through the network. As a packet travels
through the network, each router will examine the "destination IP address"
and choose the next hop to forward the packet. In source routing, the
"source" (i.e. the sender) makes some or all of these decisions.
Seminar "Computer Security"
November 06, 2006
27
Theory of source routing
A: Sender
F: Destination
To bypass the firewall, the sender A specific the routing:
A -> B -> C -> D -> E -> F
E
E
A
CF
D
B
C
Seminar "Computer Security"
November 06, 2006
28
Terminology of tiny fragment
Tiny fragments is a means that the user uses the IP fragmentation to
create extremely small fragments and force the TCP header information
into a separate packet fragment. This way is designed to bypass the
filtering rules that depend on TCP header information. The users hopes
that only the first fragment is examined by the filtering router and the
remaining fragments are passed through.
Seminar "Computer Security"
November 06, 2006
29
Theory of tiny fragment
IP-3arojiobok:
MF=1, Fragment Offset=0
Source Port
Destination Port
TCP header
information
Sequence Number (SN)
IP-3arojiobok:
MF=0, Fragment Offset=1
Acknowledgment Sequence Number (ACK SN)=0
Date
reserved
-
-
Offset
-
-
S
-
Windows
Y
N
Checksum
Urgent
Options
Seminar "Computer Security"
Pointer=0
Padding
November 06, 2006
30
Concrete example bypassing firewall - SSH
Prerequisites:
 A computer at home that you can leave connected to the Internet when
you're at work. The Internet connection at home should be fast, usually
cable or DSL. (Technically, this can work with a dialup modem connection,
but it may cause problems and it's really slow.)
 Linux, Unix, Microsoft Windows NT, 2000, or XP installed on your
computer at home.
 Linux, Unix or any flavor of Windows on your computer at work.
Seminar "Computer Security"
November 06, 2006
31
Concrete example bypassing firewall - SSH
 Run an SSH server on your computer at home.
 Use an SSH client on your computer at work to create a secure tunnel
between your home and work computers.
 Enable Dynamic Forwarding in the SSH client to simulate a SOCKS
Proxy.
 Configure Internet Explorer to use a SOCKS Proxy for network traffic
instead of connecting directly.
Seminar "Computer Security"
November 06, 2006
32
Concrete example bypassing firewall - SSH
Using an SSH tunnel with Dynamic Forwarding:
Seminar "Computer Security"
November 06, 2006
33
Rootkit
Rootkit (also written as “Root kit”) is a set of software tools intended to
conceal running processes, files or system data, thereby helping an
intruder to maintain access to a system whilst avoiding detection.
Rootkit is known to exist for a variety of operating systems such as
Linux, Solaris, and versions of Microsoft Windows.
Seminar "Computer Security"
November 06, 2006
34
Trojan
In the computer software, a Trojan horse is a malicious program that
is disguised as or embedded within legitimate software. The term is
derived from the classical myth of the Trojan Horse. They may look
useful or interesting (or at the very least harmless) to an unsuspecting
user, but are actually harmful when executed. Often the term is
shortened to simply Trojan.
Seminar "Computer Security"
November 06, 2006
35
Part VI
Conclusion
Seminar "Computer Security"
November 06, 2006
36
Review
 The needs and origin the firewall
 The essentials of the firewall
- The definition, characteristics, and capabilities/limitation of the firewall
- The generation and types of the firewall
 The principles on how to bypass the firewall
- “Legal” ways
- “Illegal” ways
Seminar "Computer Security"
November 06, 2006
37
Thanks, all you!!!
Seminar "Computer Security"
November 06, 2006
38