Let's talk about the penetration of firewalls and firewalls.
Created:
Article attributes: original
Article submission: mrcool (mrcoolfuyu_at_tom.com)
(1) Introduction to Firewall
A firewall is a function that isolates internal networks from external networks or the Internet to protect internal networks or hosts. A Simple Firewall can be implemented by the access control list of the router and Layer 3 switches, or by a host or even a sub-network. You can purchase specialized hardware firewalls or software firewalls for complicated implementation.
The functions of the firewall include:
1. filter out insecure services and illegal users
2. control access to special sites
3. Convenient endpoints for monitoring Internet security and warning
Firewalls are not omnipotent, and there are also many areas where firewalls are powerless:
1. The firewall cannot prevent attacks that bypass the firewall. For example, the firewall does not limit connections from the internal network to the external network, so some internal users may form a direct connection to the Internet, thus bypassing the firewall, resulting in a potential backdoor. malicious external users are directly connected to the internal user's machine and use the internal user's machine as a stepping stone to initiate unrestricted attacks that bypass the firewall.
2. The firewall is not an InterScan, and cannot intercept virus-containing data transmitted between networks.
3. The firewall cannot perform data-driven attacks.
Therefore, we cannot rely too much on the firewall. Network security is a whole, and it does not have any outstanding configuration. Network security follows the "Barrel Principle ".
Generally, firewalls have the following features:
1. Extensive Service Support: through the combination of dynamic and application-layer filtering capabilities and authentication, the WWW browser, HTTP server, and FTP can be implemented;
2. Encryption and support for private data: ensure that the virtual private network and business activities through the Internet are not damaged;
3. client authentication only allows specified users to access the internal network or select services: an additional part of secure communication between the enterprise public network and branches, business partners, and mobile users;
4. Anti-spoofing: spoofing is a common means of obtaining network access from the outside. It makes data packets come from inside the network. The firewall can monitor such data packets and discard them;
5. C/S mode and cross-platform support: enables the management module running on one platform to control the monitoring module running on another platform.
Let's take a look at the working principle and advantages and disadvantages of traditional firewalls:
1. Working Principle of (traditional) packet filtering Firewall
Packet filtering is implemented at the IP layer. Therefore, it can be completed only by a router. Package filtering determines whether a packet is allowed to pass through Based on header information such as the package's source IP address, destination IP address, source port, destination port, and packet transfer direction. Filter user-defined content, such as IP addresses. The operating principle is that the system checks data packets at the network layer and has nothing to do with the application layer. The packet filter is widely used because the time used by the CPU to process packet filtering is negligible. In addition, this protection is transparent to users, and legal users cannot feel its existence when they access the network, making it easy to use. In this way, the system has good transmission performance and is easy to expand. However, such firewalls are not secure because the system does not perceive the information on the application layer. That is to say, they do not understand the communication content and cannot filter the information at the user level, that is, it cannot identify different users and prevent IP address theft. If an attacker sets the IP address of the host to a valid IP address of the host, the attacker can easily use the package filter to easily crack the attack. Based on this mechanism, the packet filtering firewall has the following defects:
Communication Information: The packet filtering firewall can only access the header information of some data packets;
Communication and application status information: the packet filtering firewall is stateless, so it cannot save the status information from communications and applications;
Information Processing: the packet filtering firewall has limited ability to process information.
For example, Unicode attacks targeting Microsoft's IIS vulnerability are caused by port 80 allowed by the firewall, while the packet filtering Firewall cannot check the packet content, therefore, the firewall is equivalent to a virtual system that provides Web services without corresponding patches. Even after the firewall is blocked, attackers can easily obtain the permissions of Super Users.
The disadvantage and disadvantage of the packet filtering firewall can be solved at the application layer. Next let's take a look at the Application Layer Gateway
2. Application Gateway
1. Application Gateway proxy)
Provides authorization check and proxy services at the network application layer. When an external host attempts to access a protected network, it must first pass authentication on the firewall. After passing identity authentication, the Firewall runs a program specially designed for the network to connect external hosts to internal hosts. In this process, the firewall can restrict the host, access time, and access method accessed by users. Similarly, users in the protected network must log on to the firewall before accessing the external network.
The advantage of the application gateway proxy is that it can not only hide internal IP addresses, but also authorize a single user. Even if an attacker steals a valid IP address, it cannot pass strict authentication. Therefore, application gateways are more secure than message filtering. However, this authentication makes the application gateway non-transparent and users must be authenticated each time they connect, which brings a lot of inconvenience to users. This proxy technology requires a dedicated program for each application.
2. Loop-level Proxy Server
That is, the proxy server, which is applicable to multiple protocols but cannot interpret the application protocol, and information needs to be obtained in other ways, loop-level proxy servers generally require modified User Programs.
A socket server is a loop-level proxy server. Sockets (sockets) is an international standard for the network application layer. When the protected network client needs to interact with the external network, check the customer's user ID, IP source address, and IP destination address on the server set on the firewall. After confirmation, establish a connection with an external server. For users, the information exchange between the protected network and the external network is transparent and the existence of the firewall is invisible because the network users do not need to log on to the firewall. However, the application software on the client must support the socketsified API. The IP addresses used by users on the protected network to access the public network are also the IP addresses of the firewall.
3. Managed servers
The managed server technology places insecure services such as FTP and Telnet on the firewall so that it acts as a server at the same time and responds to external requests. Compared with the application-layer proxy implementation, the managed server technology does not have to write programs for each service. In addition, when users in the protected network want to access the external network, they also need to log on to the firewall first, and then send a request to the external network. In this way, the firewall can only be seen from the external network, this hides the internal address and improves security.
4. IP tunnels)
If two subsidiaries of a large company are far apart, they can communicate over the Internet. In this case, IP tunnels can be used to prevent hackers from intercepting information on the Internet, thus forming a virtual enterprise network on the Internet.
5. Network Address converter (NAT network address translate)
When a protected network is connected to the Internet, you must use a valid IP address to access the Internet. However, due to limited legal Internet IP addresses, and protected networks often have their own IP address planning (informal IP addresses ). The network address converter is to attach a valid IP address set to the firewall. When a user in the firewall wants to access the Internet, the firewall dynamically selects an unallocated address from the address set and assigns it to the user. The user can use this legal address for communication. In addition, for some internal servers such as web servers, the network address Converter allows them to be assigned a fixed legal address. Users of the external network can access internal servers through the firewall. This technology not only relieves the conflict between a small number of IP addresses and a large number of hosts, but also hides the IP addresses of internal hosts and improves security.
6. Isolate the Domain Name Server (split Domain Name Server)
This technology isolates the Domain Name Server of the protected network from the domain name server of the external network through the firewall, so that the Domain Name Server of the external network can only see the IP address of the firewall, unable to understand the specific situation of the protected network, so as to ensure that the IP address of the protected network is not known by the external network.
7. Mail forwarding)
When the Firewall uses the technologies mentioned above to make the external network only know the IP address and domain name of the firewall, emails sent from the external network can only be sent to the firewall. At this time, the firewall checks the email. Only when the source host that sends the email is allowed to pass the email can the firewall convert the destination address of the email and send it to the internal email server, it is used for forwarding.
The application gateway checks all application-layer information packages and puts the checked content into the decision-making process. This improves security. However, they are implemented by breaking the Client/Server mode. Each client/server communication requires two connections: one from the client to the firewall, and the other from the firewall to the server. In addition, each proxy requires a different application process or a backend service program. In this way, if a new application has to be added, otherwise, the service cannot be used, and the scalability is poor. Based on this mechanism, the application gateway firewall has the following defects:
Connection restrictions: each service requires its own proxy, so the number of available services and scalability are limited;
Technical restrictions: Application Gateway cannot provide proxies for UDP, RPC, and other services in common protocol families;
Performance: The implementation of the application gateway firewall sacrifices some system performance.
Architecture and combination of firewalls
1. screening router)
This is the most basic component of the firewall. It can be implemented by a router specially produced by the manufacturer, or by a host. Shield the router as the only channel for internal and external connections. All packets must pass the check here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers have packet filtering configuration options, but they are generally relatively simple.
The danger zone of a firewall consisting of a shield router includes the router itself and the host allowed by the router. Its disadvantage is that once attacked, it is difficult to discover and cannot identify different users.
2. Dual-host Gateway)
Any system with multiple interface cards is called multi-host. The dual-host gateway uses a host with two NICs as a firewall. The two NICs are connected to the protected network and the external network respectively. The host runs firewall software, which can forward applications and provide services.
The system software of the bastion host is used to maintain system logs, copy hardware logs, or remote logs. This is useful for future checks. However, this does not help network administrators determine which hosts on the Intranet may have been infiltrated by hackers.
A critical weakness of the dual-host gateway is that, once an intruder intrude into the bastion host and only has the routing function, any online user can access the Intranet.
3. screened host Gateway)
The shielding host gateway is easy to implement and secure, so it is widely used. For example, if a group filters vrouters to connect to an external network and a bastion host is installed on an internal network, a filtering rule is usually set up on the vro, the bastion host becomes the only host that can be directly accessible from the external network, which ensures that the internal network is not attacked by unauthorized external users.
If the protected network is a virtual extended ingress network, that is, there is no Subnet or router, the changes in the Intranet will not affect the configurations of the bastion host and the shielded router. Dangerous tapes are restricted to Bastion hosts and blocked routers. The basic control policy of the gateway is determined by the software installed above. If attackers try to log on to it, other hosts in the Intranet will be greatly threatened. This is similar to the situation when the host gateway is under attack.
4. Screened Subnet)
This method establishes an isolated subnet between the internal network and the external network, and uses two groups to filter the vro to separate the subnet from the internal network and the external network respectively. In many implementations, the two groups filter routers at both ends of the subnet and form an "unmanaged zone" DMZ in the subnet. Some shield subnets also have a bastion host as a unique accessible point, supporting terminal interaction or as an application gateway proxy. This configuration only includes the bastion host, subnet host, and all vrouters connected to the Intranet, Internet, and subnet shield.
If an attacker attempts to completely damage the firewall, he must reconfigure the routers connected to the three networks, neither disconnect the connection nor lock himself out, without making himself discover, this is also possible. However, If you disable network access to a vro or only allow some hosts in the Intranet to access it, the attack will become very difficult. In this case, the attacker must first intrude into the bastion host, then enter the Intranet host, and then return to destroy the blocked router. No alarm is triggered throughout the process.
Generally, a single technology is rarely used when building a firewall. It is usually a combination of multiple technologies to solve different problems. This combination mainly depends on what kind of services the network management center provides to users and what level of risks the network management center can accept. Which technology is used depends on the Fund, the size of the investment, or the technology and time of the technicians. There are generally the following forms:
1. Use a multi-bastion host;
2. Merge internal routers and external routers;
3. Merge the bastion host and external router;
4. Merge the bastion host and internal router;
5. Use multiple internal routers;
6. Use multiple external routers;
7. Use multiple peripheral networks;
8. Use a dual host and a shielded subnet.
With the increasing awareness of network security, firewalls are widely used. You have money to use advanced hardware firewalls and free software firewalls. What are the advantages of the hardware firewall over the software firewall?
The hardware firewall uses dedicated hardware devices and then integrates with the dedicated firewall software of the manufacturer. From the functional aspect, I'm sorry, I'm sorry, I am sorry the name is yarn, which is called yuexiao. Why does it mean that the province has a better bath?
Software firewalls are generally developed based on an operating system platform and directly installed and configured on a computer. Due to the diversity of customer platforms, the software firewall must support multiple operating systems, such as UNIX, Linux, SCO-Unix, and windows, large Code, high installation costs, high aftersales support costs, and low efficiency.
1. performance advantages. The performance of the firewall is crucial to the firewall. It determines the data traffic passing through the firewall every second. The Unit is BPS, ranging from dozens of m to hundreds of m, and a gigabit firewall can even reach several Gbps. Software firewalls cannot reach such a high rate.
2. Advantages of CPU usage. The CPU usage of the hardware firewall is of course 0, and the software firewall is different. If you are in a cost-saving situation, install the firewall software on the host that provides services. When the data traffic is large, CPU usage will be the killer of hosts and will be dragged across hosts.
3. After-sales support. Hardware firewall manufacturers will provide tracking service support for firewall products, while software firewall users will receive fewer such opportunities, in addition, manufacturers will not spend too much effort and R & D funds on software firewalls.
------------------------------------------------------------
(2) firewall penetration
We have briefly introduced the principles, classifications, advantages and disadvantages of the firewall. Next, we will give a brief introduction to the penetration technology of the firewall.
Well-configured firewalls will block the vast majority of crackers from the periphery and take the initiative in network control. However, firewalls are not omnipotent, we also briefly talked about the disadvantages of the firewall in the previous section. No network product is absolutely secure. Lumeng San an article introduced the penetration firewall shellcode, interested friends can refer to: http://www.winnerinfo.net/infoview.asp? Kind = 145 & id = 529. Here I want to introduce "channel technology ".
Speaking of the channel technology, I would like to mention "port multiplexing". Many friends think that the channel technology is the port multiplexing technology. If so, port multiplexing means that multiple connections are established on a port, rather than opening multiple services on a port without mutual interference. If you want to add another service to a host that has opened the WWW Service on port 80, there are only two possible reasons: 1. failed to add the Service 2. WWW Service error. So what is a channel? The channel is a communication method that bypasses firewall port shielding. Packets at both ends of the firewall are encapsulated on the data packet type or port allowed by the firewall, and then communicate with the host behind the firewall through the firewall. When the encapsulated data packet arrives at the destination, data packets are restored and the restored data packets are sent to the corresponding service. Multiple services are opened on a port without mutual interference.
For communication, no matter what firewall, all services and ports cannot be closed. (If there is such a firewall, it is better to pull the network cable directly, huh, huh) Most firewalls must open a port or service (such as HTTP) more or less, as long as the port and service are opened, this gives us the possibility of penetration. HTTP is a simple and commonly used protocol. When you send a request to the server, the server returns a response. Almost all hosts are allowed to send HTTP requests. The extensive use of the HTTP protocol on the network also determines that we can easily send the data we need to the target through the firewall or other similar devices by using the channel technology. A typical example is http-tunnel.
On the http://www.http-tunnel.com of the official http-tunnel website, there is a saying: "http-tunnel creates a two-way virtual data connection in the HTTP request. HTTP requests can be sent through a proxy, which can be used by users behind the firewall with a limited port. If the WWW browsing through the HTTP proxy is allowed, the http-tunnel can also be established, that is, it can be telnet or PPP outside the firewall to the firewall ." In this way, attackers can use this technology to achieve remote control. Let's take a look at the http-tunnel design ideas:
Host a is outside the firewall without any restrictions. Host B is protected by the firewall inside the firewall. The Access Control Principle configured by the firewall is to allow data access from port 80 only, but the telnet service is enabled on the host. What should I do if I need to telnet from system A to system B? Normal telnet is definitely not possible because the port 23 used by Telnet is blocked by the firewall. After the firewall receives the Telnet package, if it finds that it does not comply with the filter principle that only allows data passing through port 80, it is discarded. But we know that there are available port 80, so using the httptunnel channel at this time is a good way, the idea is as follows:
Run the tunnel client on machine A to let it listen to an unused arbitrary specified port on the local machine (preferably over 1024 and below 65535), for example, 8888. At the same time, the data from Port 8888 is directed to port 80 of port B. Because it is port 80, the firewall is allowed to pass. Then, start a server on machine B (only one webshell can be obtained when port 80 is open to the outside, and you can find a way to upgrade your permissions and run the server) it is also attached to port 80, and the port 80 is forwarded from the client to the local telnet service port 23, so that it is OK. Now Telnet the local port 8888 on machine A. According to the preceding settings, the data packet will be forwarded to the machine B with the target port 80, because the firewall allows data through port 80, as a result, data packets pass through the firewall smoothly and reach machine B. In this case, the process listening on port 80 receives a packet from a, restores the packet, and returns it to the Telnet process. When the data packet needs to be returned from B to A, it will be sent back from port 80, and it can also pass through the firewall smoothly.
The above functions seem to be capable of doing the same with port ing. We can redirect port 23 on host a to port 80, and then redirect port 80 on host B to port 23. But what if the www service is enabled on host B? To use the above functions, port 80 of host B must be sacrificed for port ing. This is not worth the candle. Imagine how long can you stay on a host when someone else has already enabled the WWW Service in an attack by the penetration firewall? However, HTTP-tunnel can be used perfectly. Even if host B is already open to 80 and WWW is provided, we can still send telnet to port 80, enjoy the "genuine" Telnet service.
For Channel Technology, our solution uses the packet detection technology at the application layer, because in normal HTTP requests, get, post and other actions are essential, if there is always no get or post in an HTTP request from a connection, there must be a problem with this connection. Terminate the connection. Currently, some companies can find the tunnel hidden in 80, but the cost of these IDS products is probably not what small and medium enterprises can afford.
There are still some ways to penetrate the firewall, such as looking for the design defects of the firewall itself, but those are too difficult. I'm afraid it's not something we should consider.
--------------------------------------------------------
Summary:
We reviewed the penetration of firewalls and firewalls in a simple way. Now we should know more clearly that firewalls are not omnipotent, and even well-configured firewalls cannot resist channel programs hidden in seemingly normal data. So what should we do to ensure the maximum security of a network?
1. configure the firewall as needed and open fewer ports as much as possible.
2. Use strictly filtered web programs.
3. Use encrypted HTTP protocol (https ).
4. if conditions permit, purchase a powerful NIDs.
5. Manage Your Intranet users to prevent attackers and Intranet users from directly bypassing the firewall.
6. Upgrade your firewall product frequently.
References:
Http://www.http-tunnel.com
Http://security.zz.ha.cn