Analysis of Network firewall preventing overflow strategy

"Overflow" has long been one of the most commonly used (or most preferred) tools of black hat hackers, with the gradual popularization of safety culture, a large number of public shellcode ("Overflow" code) and overflow attack principle can be found at random in the major network security sites, which derived a series of security risks ... Small black Black uses them to make illegal attacks, malicious programmers use them to make worms and so on ... and network firewall as one of people's favorite network security "facilities", it can "intercept" this type of attack?

At present, most of the firewall systems are for packet filtering rules for security defense, this type of firewall can only work in the transport layer, and overflow program Shellcode is placed in the application layer, so the attack on such a helpless. For example: A previous period of time compared to the fiery IIS WebDAV overflow vulnerability, if the hacker attack successfully can get Rootshell (command line Administrator console), it is the normal provision of HTTP services in the case of an overflow vulnerability, What can a firewall do without patching and hand-handling? I believe you will not do anything except to filter out packets that access the server's TCP80 port (which provides a normal HTTP service), which, of course, will make your HTTP service not open properly (equal to no service provided ...). Here's a loophole for "arguments & Themes", talk about your own solution.

1 Implement "Separate open port" access control policy for the host you wish to protect

The so-called "separate open port" means to open only the ports that need to be provided, and to implement a filtering strategy for ports that do not need to be serviced. For example, now we need to protect a Web server that has a WebDAV bug, how can it not be hacked by hackers? The answer is to include a packet filtering rule in the front-end firewall of this Web server that allows only other machines to access the TCP80 port of this machine (as for whether your firewall can implement such a rule). And what effect will this rule have? A friend who often does intrusion penetration testing should be aware of the remote overflow attack implementation process than I do?

① uses the flaw scanner to locate a host with a remote overflow Vulnerability-"② confirm its version number (if necessary)-" ③ Use Exploit (attack program) to send shellcode-"④ confirm remote overflow After successful use of NC or Telnet program to connect to the overflow host Port-" ⑤ Get the shell

A solution that uses the separate open ports policy is powerless in the first three steps of the entire remote overflow process, but in step fourth this strategy effectively prevents hackers from being connected to an overflow port on a defective host, thereby cutting off the hacker's malicious attack.

Advantages: Simple operation, the general network/system administrator can complete the relevant operations.

Disadvantage: The overflow after the use of port multiplexing to control the exploits can not do; to the reality of the overflow after the reverse connection control of the eploits is powerless; can not prevent the D.O.s side of the overflow attack.

2 using the application-layer firewall system

The so-called application layer does not want to specifically indicate that the firewall works at the application level, but rather to indicate that it can handle the data at the application level. Because the application layer of Protocol/service types are more, so for the application layer of the firewall has a certain market limitations. In the case mentioned above, we can use the application layer firewall that handles the HTTP protocol to customize the protection rules for servers with WebDAV defects to ensure that the server does not accept the impact of such attacks. The HTTP protocol firewall system in the application layer is not many, among them the more famous has eeye Company's Secureiis, its use way can be described as "the retarded type", said its basic defense principle and the characteristic. When the server receives a packet sent to the TCP80 port, the packet is first transferred to the Secureiis,secureiis and the packet is parsed and the application layer data is decoded, and the resulting data is paired with your own custom rules. The corresponding action specified by the rule is executed once the condition is found to match the hunger value.

Advantages: Can effectively cut off some attacks from the application layer (such as overflow, SQL injection, etc.).

Disadvantage: Because of the need to install on the server, therefore, it will occupy a certain amount of system resources; (eeye company itself does not develop the Chinese version of the software, so once it is issued by the post behavior of the Chinese data will automatically be considered a high attack code, automatically isolate it, and related processing operations).

3 firewall system with IDs function

Now the domestic independent development of the firewall system is to enter the "white-hot", what hundred trillion, gigabit, 2U, 4U ... Performance parameters of the comparison has become increasingly fierce, and then began a number of manufacturers will focus on the technology shift in the "multi-functional" aspect, in the firewall to inherit the IDs module is nothing new, the use of such products can achieve monitoring application layer data results.

Advantages: Easy to manage.

Disadvantages: Cost increases, long-term need for human resources management and facilities maintenance; The IDs module on the firewall has limited functionality.

Synthesis of the above three solutions, I hope that there is a way to provide you with the space for reflection, but also hope that you can put forward the corresponding suggestions and comments, thank you, need to contact me please email to demonalex[at]demonalex.net.