First, we need to understand some basic principles of firewall implementation. Firewall is currently the main packet filter, and stateful detection package filtering, Application Layer Agent firewall. But their basic implementations are similar.
Firewalls typically have more than two network cards, one connected to the outside (router) and the other connected to the internal network. When the host network forwarding function is turned on, the network communication between the two NICs can be passed directly. When there is a firewall, he is like to plug in between the NIC, all the network traffic control.
Speaking of access control, this is the core of the firewall: the firewall is mainly through an access control table to judge, his form is generally a series of following rules:
1 Accept from+ Source address, Port to+ destination address, Port + action taken
2 deny ...... (Deny is denial.) )
3 Nat ....... (Nat is address translation.) Said later)
After the firewall receives the network packet from the network layer (including the following circuit layer), it matches the table one by one from the rules above, and executes the prearranged action if it fits! such as discarding the package ....
However, different firewalls, when judging the attack behavior, there is a difference in implementation. The following is a combination of the implementation of the principle of a possible attack.
Second, attack packet filtering firewall
Packet filter Firewall is the simplest one, it intercepts network packets at the network layer, according to the rules of the firewall table, to detect the attack behavior. He filters according to the source IP address of the packet, the destination IP address, the TCP/UDP source port, and the TCP/UDP destination port!! is vulnerable to the following attacks:
1 IP Spoofing attacks:
This attack is mainly to modify the source of the packet, destination address and port, imitate some legitimate packets to cheat the firewall detection. For example: an external attacker who changes his source address to an internal network address, and the firewall sees it as a legitimate address and releases it: However, if the firewall can interface with the address to match, this attack will not succeed: (
2 D.O.s denial of service attack
A simple packet-filtering firewall cannot track the state of TCP, is vulnerable to denial of service attacks, and once the firewall is attacked by D.O.s, he may be busy processing and forgetting his own filtering capabilities. : You will be spared, but there is little to attack.
3 Fragmentation attacks
The principle of this attack is: in the IP fragment package, all the fragments with a fragment offset field mark the order of the packet, however, only the first fragment package contains information about the TCP port number. When the IP fragment packet filters through the firewall, the firewall only according to the first packet of TCP information to determine whether to pass, and the other subsequent fragmentation is not a firewall detection, directly let them through.
In this way, the attacker can by first send the first legitimate IP fragment, cheated the firewall detection, and then encapsulated the malicious data of the subsequent fragmentation package can directly penetrate the firewall, directly to the internal network host, thereby threatening the network and host security.
4 Trojan attack
For the packet filter firewall the most effective attack is a Trojan, but you installed in the internal network Trojan, the firewall is basically powerless.
The reason is: Packet filter firewall generally only filter the low-end port (1-1024), and the high-end port he could not filter (because, some services to use the high-end port, so the firewall can not close the high-end port), so many Trojans are in the high-end opening wait, such as glaciers, subseven, etc. ...
But the premise of the Trojan attack must first upload, running Trojan, for simple packet filter firewall, is easy to do. It's not written here. is probably the use of Internal network host open service vulnerabilities.
Early firewalls are such simple packet-filtering, which is now rare, but there are. Now the packet filter is based on state detection technology, the following talk about stateful detection packet filter firewall.
Packet filtering for attack state detection
State detection technology was first proposed by checkpoint, and many firewalls in the country claimed to have realized state detection technology.
But: a lot of it is not achieved. What exactly is state detection?
In a word, state detection is the technique of tracking detection from the establishment of TCP connections to termination.
The original packet filter, is to take a single packet to match the rules. But we know that the same TCP connection, his packet is connected, first SYN package,-"packet =" fin package. The serial number of the packet is related.
If these relationships are fragmented, separate filtering packets can easily be spoofed by crafted attack packets!!! such as Nmap attack Scan, there is the use of SYN packets, FIN packets, reset package to detect the network behind the firewall.
Instead, a complete stateful detection firewall, in which he initiates the connection, judges that, if the rules are met, the status information of the connection is registered in memory (address, port, option ...). , subsequent packets belonging to the same connection do not need to be detected. Directly through. And some carefully crafted attack packets were discarded because they did not register the corresponding state information in memory. So these attack packets, can not be spared the firewall.
State detection must refer to dynamic rule technology. In the state detection, using the dynamic rule technology, the original high end of the problem can be solved. Implementation of the principle is: at ordinary times, the firewall can filter all the internal network ports (1-65535), external attackers difficult to find the entry point of intrusion, but in order not to affect the normal service, firewall one but detect the service must open high-end port, such as (FTP protocol, IRC, etc.), The firewall in memory can dynamically add a rule to open the relevant high-end port. When the service is finished, the rule is removed by the firewall. In this way, not only protect the security, but also do not affect the normal service, fast.
In general, the full implementation of the state detection technology firewall, intelligence is relatively high, some scanning attacks can also be automated response, so the attackers should be very careful not to be found.
However, there are also a number of attacks against such firewalls.
1 Protocol Tunnel attack
The attack idea of the Protocol tunnel is similar to the implementation principle of VPN, the attacker will hide some malicious attack packets in the head of some protocol groupings, thus penetrating the firewall system to attack the internal network.
For example, many firewalls that simply allow ICMP echo requests, ICMP echo responses, and UDP packets to pass are vulnerable to ICMP and UDP protocol tunnels. Loki and Lokid (the client and server side of the attack) are effective tools for implementing this attack. In a real-world attack, the attacker would first have to try to install the Lokid server on a system on the internal network, which could then be embedded in the ICMP or UDP packet head by the Loki client and then sent to the internal network server Lokid, It executes the commands in it and returns the results in the same way. By
Many firewalls allow ICMP and UDP packets to be freely accessible, so the attacker's malicious data can be shipped in a normal grouping, bypassing the firewall authentication, and successfully reaching the target host the following command is used to start the Lokid server program:
Lokid-p CI CVL
The Loki client program starts as follows:
Loki Cd172.29.11.191 (attack target host)-P CI Cv1 Ct3
In this way, Lokid and Loki together provide a backdoor to access the target system through the firewall system.
2 using FTP-PASV to bypass firewall authentication attacks
FTP-PASV attack is one of the important means to implement intrusion against firewall. At present, many firewalls do not filter this attack method. Like Checkpoint's Firewall-1, it looks for the "227" string in each package as it monitors the packets sent to the client by the FTP server. If the package is found, the destination address and port are extracted and the destination address is validated, and the TCP connection to that address is allowed when passed.
With this feature, an attacker can try to connect to a server and service that is protected by a firewall.
3 Bounce Trojan Attack
The rebound Trojan is the most effective way to deal with this kind of firewall. Attackers in the internal network bounce Trojan timed to connect the external attacker control of the host, because the connection is originated from the internal, firewall (any firewall) is considered a legitimate connection, so basically the blind area of the firewall is here. Firewalls cannot differentiate between Trojans and legitimate connections.
But the limitation of this attack is: You must first install this Trojan!!! All the Trojans are the key to the first step!
Iv. Attack agents
The agent is running in the application layer firewall, he essentially starts two connections, one is the client to the agent, the other is the proxy to the destination server.
Implementation is relatively simple, and the same as before is filtered according to the rules. Because the speed of running in the application layer is slow/1
There are many ways to attack agents.
Here take Wingate as an example, simply said. (Too tired)
Wingate is a very extensive application of a WINDOWS95/NT agent firewall software, internal users can be installed through a Wingate host to access the external network, but it also has several security vulnerabilities.
Hackers often exploit these vulnerabilities to gain access to Wingate Web, socks, and telnet, posing as a Wingate host to attack the next attack target. Therefore, this attack is very difficult to track and record.
Cause Wingate security vulnerabilities Most of the administrators are not based on the actual situation of the network Wingate Agent firewall software reasonable settings, but simply from the default settings after the installation of software to run, which gives attackers an opportunity.
1 non-authorized Web Access
Some Wingate versions, such as the 2.1D version running under NT systems, allow external hosts to access the Internet completely anonymously, in the case of a misconfigured condition. As a result, external attackers can use the Wingate host to launch various web attacks on the Web server (such as CGI exploits, etc.), and since all messages from the Web attack are passed through TCP port 80th, it is difficult to trace the source of the attacker.
Detection
The method for detecting whether a Wingate host has this security vulnerability is as follows:
1 connect to the Internet with a connection that will not be filtered out, such as a dial-up connection.
2 The browser's proxy server address to the Wingate host to be tested.
If the browser has access to the Internet, an unauthorized Web Access vulnerability exists in the Wingate host.
2 non-authorized socks access
In the default configuration of Wingate, the SOCKS agent (TCP port 1080th) also has a security vulnerability. As with an open Web proxy (TCP port 80th), external attackers can use the SOCKS proxy to access the Internet.
Prevention
To prevent the attack from Wingate This security vulnerability, administrators can limit the bundle of specific services. On a multihomed (multi homed) system, perform the following steps to qualify how the agent service is provided.
1 Select Socks or Wwwproxyserver properties.
2 Select Bindings label.
3 Press the Connectionswillbeacceptedonthefollowinginterfaceonly button and specify the internal interface for the Wingate server.
Non-authorized Telnet access
It is the most threatening security vulnerability in Wingate. By connecting to a Telnet service of a misconfigured ingate server, an attacker can use someone else's host to hide their traces and launch an attack randomly.
Detection
The method for detecting whether a Wingate host has this security vulnerability is as follows:
1. Use Telnet to try to connect to a Wingate server.
[Root@happy/tmp] #telnet172.29.11.191
Trying172.29.11.191 .....
Connectedto172.29.11.191.
Escapecharacteris ' ^] '.
wingate>10.50.21.5
2. If you receive the response text as above, enter the Web site you want to connect to.
3. If you see the login prompt for the new system, the server is vulnerable.
Connectedtohost10.50.21.5 ... Connected
SunOS5.6
Login:
Countermeasures
Methods to prevent this security vulnerability are similar to those that prevent unauthorized socks access. Simply restricting the bundle of specific services in Wingate can solve this problem. In general, a multihomed (multihomed) system administrator can accomplish this by performing the following steps:
1. Select the Telnetsever property.
2. Select the Bindings label.
3. Press the Connectionswillbeacceptedonthefollowinginterfaceonly button and specify the internal interface of the Wingate server.
Five, something
There is a firewall attack is not only the point above, I have something to write wrong, we correct.
All along, hackers are studying the technology and means of attacking the firewall, the tactics and technology of attacking become more and more intelligent and diverse. But in the process of hacking the firewall, there are probably three types of attacks.
The first type of attack firewall is to detect which firewall system is installed on the target network and to find out what services the firewall system allows. We call it a probe attack on the firewall.
The second type of attack firewall method is to take address spoofing, TCP serial number attack and so on to bypass the firewall authentication mechanism, thus to the firewall and internal network damage.
The third type of attack firewall method is to find, use the firewall system implementation and design of security vulnerabilities, so as to launch targeted attacks. This attack is more difficult, but very destructive.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.