That talk about the penetration of firewalls and firewalls
Creation time: 2005-02-20
Article attribute: original
Article submission:
Mrcool (mrcoolfuyu_at_tom.com)
(1) Introduction to the firewall
The firewall is a function that enables internal networks and external networks or Internet to isolate each other to protect internal networks or hosts. Simple firewalls can be actually acting as an ACL (Access Control List) of Router, 3 Layer Switch, or one host, even a subnet. Complex can purchase specialized hardware firewalls or software firewalls.
The function of the firewall is:
1, filter out unsafe services and illegal users
2, control access to special sites
3. Provide convenient endpoints for monitoring Internet security and warning
The firewall is not universal, and there are many firewalls that have no power:
1. The firewall can't prevent the attack by the firewall. For example, the firewall does not limit the connection from the internal network to the external network, then some internal users may form a connection directly to the Internet, which bypass the firewall, causing a potential backdoor. Malicious external users directly connect to internal users On the machine, with this internal user's machine is a springboard, the unrestricted attack bypass the firewall is initiated.
2, the firewall is not a gas wall, and the data that is not intercepts the virus spreads between the network.
3, the firewall is not powerful to data-driven attacks.
Therefore, we cannot over-reliance on firewalls. The security of the network is a whole, not a particularly excellent configuration. Network security follows the "wooden barrel principle".
The general firewall has the following features:
1. Extensive service support: By combining dynamic, application layer filtering capacity and certification, you can implement WWW browser, HTTP server, FTP, etc.
2. Encryption support for private data: ensuring that virtual private networks and business activities via the Internet are not damaged;
3. Client authentication only allows the specified user to access internal networks or selection services: the additional part of the enterprise local network and branch office, business partners, and mobile users;
4, anti-deception: spoof is a common means of acquiring network access from the outside, which makes the packet seem to be inside the network. The firewall can monitor such a packet and throw it away;
5, C / S mode and cross-platform support: Make the management module running on a platform to control the monitoring module on another platform.
Let's take a look at the traditional firewall working principle and advantages and disadvantages:
1. (Traditional) Working principle packaged by filter firewall
The package is filtered is implemented in the IP layer, so it can be done with the router. The package is filtered according to the source IP address of the package, the destination IP address, source port, destination port, and packet transfer directions, etc. to determine whether the package is allowed to pass. Filter user-defined content, such as an IP address. The working principle is that the system checks the packet in the network layer, has nothing to do with the application layer, the application of the package filter is very wide because the CPU is used to handle the package filtration time can be ignored. Moreover, this protective measures are transparent to the user. When the legal user will not feel its existence, it is very convenient to use. This system has good transmission performance, easy to expand. But this firewall is not safe because the system does not know the application layer information - that is, they don't understand the content of communication, and cannot be filtered on the user level, that is, the different users and the anti-IP address cannot be identified. If an attacker sets its host's IP address into an IP address of a legal host, it is easier to pass the package filter, which is easier to attack hackers. Based on this working mechanism, the bag filter firewall has the following flaws:
Communication Information: Packing the filter firewall can only access the header information of some packets;
Communication and application status information: Packing filter firewall is stateless, so it is not possible to save status information from communication and application; information processing: The ability to package the firewall processing information is limited.
For example, a Unicode attack for Microsoft IIS vulnerabilities, because this attack is the 80-port allowed by the firewall, and the package filtering firewall cannot verify the content of the packet, so the firewall is equivalent to dummy, not to fight the corresponding Patch The Web service system, even after the firewall's barrier, it will be easily permissions of the superuser by the attacker.
The shortcomings and insufficient packages of the filtered firewall can be solved at the application layer. Let's take a look at the application layer gateway
2. Application gateway
1, Application Gateway Proxy)
Provide authorized inspections and proxy services in the web application layer. When an external host attempts to access the protected network, you must first authenticate on the firewall. After authentication, the firewall runs a program specially designed for the network and connects the external host to the internal host. In this process, the firewall can limit the mode of host, access time, and access to users. Similarly, when users accessing the external network internal users, they are also required to be logged in to the firewall, and they can be accessed by verifying.
The advantage of applying a gateway agent is that it can hide the internal IP address, or give a single user, even if an attacker has a legitimate IP address, it is not a strict identity authentication. Therefore, the application gateway has higher security than packet filtering. But this kind of certification makes the application gateway opaque, and users have to be certified each time, which brings us many inconvenience. This proxy technology needs to write a special program for each application.
2, loop-level proxy server
That is, the usual agent server, it applies to multiple protocols, but cannot explain the application protocol, which needs to obtain information in other ways, so the loop level proxy server typically requires the modified user program.
Socket Server is the loop level proxy server. Sockets is an international standard for network application layers. When the protected network client needs to interact with the external network, check the client's User ID, IP source address, and IP destination address on the firewall. After confirming, the set server is connected to the external server. For the user, the information exchange of the protected network and the external network is transparent, and it does not feel the existence of the firewall, that is because the network users do not need to log in to the firewall. However, the client's application must support "Socketsified API", and the IP address used by the protected network user access to the public network is also the IP address of the firewall.
3, substitute server
Server technology is to put unsafe services such as ftp, telnet, etc., so that it simultaneously acts as a server, an answer to external requests. Compared with the application layer agent implementation, the server technology does not have to write a program for each service. Moreover, when the user wants to access the external network, it is also necessary to log in to the firewall, and ask the request, so that the firewall can only be seen from the external network to hide the internal address and improve the security. Sex.
4, IP channel (IP Tunnels)
If the two subsidiaries of a big company are far from the Internet. In this case, IP Tunnels can be used to prevent hackers from interception information on the Internet, thereby forming a virtual enterprise network on the Internet.
5, Network Address Converter (NAT Network Address Translate)
When the protected network is connected to the Internet, the protected network user must use a legal IP address if they want to access the Internet. However, due to the limited IP address of the IP address, and the protected network often has its own set of IP address planning (informal IP addresses). The network address converter is a legitimate IP address set on the firewall. When an internal user is accessible to the Internet, the firewall dynamically assigns an unassigned address from the address set to the user, which can communicate with this legal address. At the same time, for some of the internal servers such as web servers, the network address converter allows them to assign a fixed legal address. Users of external networks can access internal servers through firewalls. This technique has eased both a small amount of IP address and a large number of hosts, and hidden the IP address of the internal host, improves security. 6, Isolation Domain Name Server
This technique is to isolate the domain name server of the protected network with the domain name server of the protected network with the domain name server of the external network, so that the domain name server of the external network can only see the IP address of the firewall, which cannot understand the specific situation of the protected network, which guarantees protected The IP address of the network is not known by the external network.
7. Mail forwarding
When the firewall uses the few techniques mentioned above such that the external network only knows that the firewall's IP address and domain name, the message sent from the external network can only be sent to the firewall. At this time, the firewall checks the email, only the firewall conversion to the destination address of the message when the source host sent by the mail is allowed, and sent to the internal mail server, which is forwarded.
The application gateway is the packet checking all application layers, and puts the content information of the inspection into the decision process so security has improved. However, they are implemented by breaking client / server mode, each client / server communication requires two connections: one is from the client to the firewall, the other is from the firewall to the server. In addition, each agent requires a different application process, or a background running service program, so if there is a new application, you must add a service program for this application, otherwise the service cannot be used, and the scalability is poor. Based on this working mechanism, the application gateway firewall has the following flaws:
Connection Limit: Each service requires its own agent, so the number of services and scalability that can be provided;
Technical restrictions: Application gateways cannot provide proxy for other services of UDP, RPC and ordinary protocols;
Performance: Implementing application gateway firewall sacrifices some system performance.
Firewall architecture and combination form
1. Shield router (Screening Router)
This is the most basic component of the firewall. It can be implemented by the manufacturer's dedicated router or can be implemented with a host. The shield router is the only channel for internal and external connections, requiring all messages to be checked here. The router can install the IP layer-based packet filtering software to implement packet filtering. Many routers themselves with packet filtering configuration options, but it is generally relatively simple.
A dangerous belt of a firewall composed of a shielded router includes a host of the router itself and a router to allow access to the host. Its disadvantage is that once it is difficult to find out, it is not possible to identify different users.
2, double host gateway (DUAL HOMED GATEWAY)
Any system with multiple interface cards is called more thanks, the two-store host gateway is a firewall with a host with two NIC. Two NIC are each connected to the protected mesh and external network. The firewall software is running on the host, which can forward the application, provide services, etc.
Double-host gateways are preferred to shield routers: The system software of the Fort Host can be used to maintain system logs, hardware copy logs or remote logs. This is useful for future checks. But this cannot help network managers confirm which hosts may have been invaded by hackers. A deadly weak point for the double-versatile gateway is: Once the intruder invades the fortress host and makes it only with routing, any online users can access the intranet.
3, blocked host gateway (Screned Host Gateway)
Shielding host network is also safe to achieve, so it is widely used. For example, a packet filtering router connects external networks, and a fortress host is installed on the internal network, typically set filtering rules on the router, and makes this fortress host a host that can reach directly from the external network, which ensures internal network Attacks that are unauthorized external users.
If the protected network is a virtual extension local network, that is, there is no subnet and router, then the change in the internal network does not affect the configuration of the fortress host and the shielded router. Dangerous belts are limited to the fortal host and shield router. The basic control strategy of the gateway is determined by the software installed above. If the attacker is trying to log in to it, the rest of the main network will be greatly threatened. This is similar to the situation when the two-hole host gateway is attacked.
4, blocked subnet (Screned Subnet)
This method is to establish an isolated subnet between the internal network and the external network, and separate this subnet separately from the internal network and the external network with the two packet filtering routers. In many implementations, two packet filtering routers are placed on both ends of the subnet, constitute a "non-military zone" DMZ within the subnet. Some shielded subnets also have a fortress host as a unique access point, support terminal interaction or as an application gateway agent. The danger zone of this configuration includes only a fortress host, a subnet host, and a router that connects the intranet, external network and shielded subnet.
If an attacker tries to completely destroy the firewall, he must reconfigure the router that connects the three networks, neither locks the connection and locks yourself outside, and does not make you discovered, which is still possible. However, if the network access router is prohibited or only some hosts in the intranet will be difficult to access it, the attack will become difficult. In this case, the attacker has to invade the fortress host, then enter the intranet host, then return to the destroying the shielded router, and the alert cannot be triggered throughout the process.
When building a firewall, a single technology is generally used, usually a combination of techniques for solving different problems. This combination depends mainly on what kind of service providing users from the network management center and what level risk can be accepted. Which technique adopted mainly on funding, investment size or technician's technology, time and other factors. Generally there are several forms:
1, use multi-furnished hosts;
2, combined internal routers and external routers;
3, combined with the fortress host and external router;
4, consolidated the fortress host and internal router;
5, use multiple internal routers;
6, use multiple external routers;
7, use multiple surrounding networks;
8, use the double host host and the shielded subnet.
With the improvement of network security awareness, the application of firewall is increasingly wide. With money, high-grade hardware firewall, no money, free software firewall. So, what kind of advantages compared to the hardware firewall and software firewall?
The hardware firewall uses a dedicated hardware device and then integrates the manufacturer's dedicated firewall software. From the function of 鹎 诮 ò 砑 米 米 米 炕 奖 童 常 常 常 常 常 菀 菀 奖 悖 悖 悖 悖 悖 悖 悖 悖 悖 悖鹎 撸 饩 鹎 鹎 ⑿ ⑿ 苤 苤 涞 涞 锏 锏 苤 涞 苤 涞 锏 咝 锏 锏 咝 咝 咝 咝 咝 咝 咝 咝 咝
Software firewalls are generally based on an operating system platform, directly installed and configured on a computer. Due to the diversity of the customer platform, the software firewall needs to support multi-operating systems, such as UNIX, Linux, SCO-UNIX, Windows, etc., the code is huge, high installation cost, high after-sales support cost, low efficiency.
1, performance advantage. The performance of the firewall is critical to the firewall. It determines the traffic through the firewall through the firewall every second. The unit is BPS, from dozens of M to a few hundred m, and there is a Gigabit firewall even reaching a few G's firewall. The software firewall cannot achieve such a high rate. 2, the advantage of CPU usage. The CPU usage of the hardware firewall is of course 0, and the software firewall is different. If the cost-saving considerations are installed on the host of providing services, when the data traffic is large, the CPU usage will be the killer of the host. Will drag the host.
3, after-sales support. Hardware firewall manufacturers will have trackable service support for firewall products, and users of software firewalls can get relatively few opportunities, and manufacturers will not be too big to have too much effort and research and development funds on the software firewall.
-------------------------------------------------- ------------
(2) Firewall penetration
The above is briefly introduced the principle, classification, advantages and disadvantages of the firewall. Below, we will make a brief introduction to the penetration technology of the firewall.
Effective-confident firewall will have the vast majority of Crackers to block the peripherals, master the initiative of network control, but the firewall is not universal, and we also briefly tell the shortcomings of the firewall in the previous section. No network products can be said to be absolutely safe. An article in the San of the Green Alliance introduces Shellcode that penetrates the firewall, interested friends can refer to:
http://www.winnerinfo.net/infoview.asp?kind=1455529, I want to mention "channel technology" here again.
Speaking of channel technology, I want to mention "port multiplexing", many friends think that channel technology is port multiplexing technology. So, wrong, port multiplexing refers to a plurality of connections on a port instead of opening multiple services on a port. If you want to add a service on the 80-port on the host that has already opened the WWW service, only 2 may: 1. Add service failed 2.www service error. So what is channel? The so-called channel here refers to a communication method that winding the firewall port shield. The data packets on both ends of the firewall are encapsulated on the packet type or port allowed by the firewall, and then pass through the firewall and the host communication behind the firewall. When the packaged packet reaches the destination, the packet is restored, and The restored data packet is sent to the corresponding service, which is not interfered with each other on one port.
For communication, no matter what firewall, it is impossible to close all services, all ports. (If there is such a firewall, it is better to pull the net line directly, huh, huh. Most firewalls, more or less to open a port or service (such as http), as long as the port and service are opened, I have given us penetration. may. HTTP is a relatively simple and common intertteral agreement, you send a request to the server, the server returns to you a response. Almost all hosts are allowed to send HTTP requests. The online HTTP protocol is so broad, which also determines that we can send our needs to the target through the firewall or other similar equipment easily by using channel technology. A typical example is http-tunnel.
Official website at HTTP-TUNNEL
There is such a sentence on http://www.http-tunnel.com: "HTTP-Tunnel creates a two-way virtual data connection in the HTTP request. HTTP request can be sent by the agent, which can be Limiting the user behind the port firewall. If the WWW browsing through the HTTP agent is allowed, then HTTP-Tunnel can also be established, that is, can be inside the firewall Telnet or PPP to the firewall. " To, an attacker can use this technology to achieve remote control. Let's take a look at the HTTP-Tunnel design idea: A host is outside the firewall, no restrictions. B The host is inside the firewall, protected by firewall, the access control principle of the firewall configuration is only the data of the 80-port is available, but the host opens Telnet service. Now how to assume what to do from the A system telnet to the B system? It is definitely impossible to use normal Telnet, because the 23 port used by Telnet is blocked by the firewall, after the firewall receives this Telnet package, it is found that the filter principle that does not meet only 80 ports is allowed, it will be discarded. But we know that there is an 80-port, then use the HTTPTunnel channel at this time, it is a good way, the idea is as follows:
Run the Tunnel's client on the A machine, let it listen to any of the specified ports that are not used in this machine (preferably 1024 or more 65535 or less), such as 8888. At the same time, the data from the 8888 port will guide the 80 port of the B machine, because it is an 80-port, the firewall is allowed. Then it places a server on the B machine, (in the case of only 80 ports open to the outside, you can only get a Webshell first, try to improve your permissions, and run the server) on the 80-port while guiding 80 The port from the client forwarded to the Telnet service port 23 of the unit, which is OK. Now on the Telnet native port 8888 on the A machine, it is forwarded to the B machine of the target port according to the setup data packet, because the firewall allows the data package to pass through the firewall, to the B machine. At this point, the process of the B-machine is listening to the 80-port receiving the packet from A. The packet is restored, and then pay it back to the Telnet process. When the packet needs to return by b to a, it will be re-transferred by the 80 port, and the firewall can also be successfully passed.
The above functions seem to be used by port mapping, redirects 23 ports on the A host to 80 ports, and then redirect the 80 port on the B-Host to 23 ports. But if the B host has opened WWW service? To use the above functions, use the port mapping must sacrifice the 80-port of the host, which is not lost. Imagine that the WWW service Down that has been opened on a host is in an osmotic firewall, how long can you still stay in this host? However, using http-tunnel can be perfectly implemented, even if the B host has opened 80, we provide WWW, we can also send Telnet to its 80 port, enjoy the "genuine" Telnet service.
For channel technology, our solution is to use the application layer data packet detection technology, because in normal HTTP requests, get, post and other behavior are essential, if it is from a connected HTTP request, there is always no GET , POST, then this connection must have problems. That thus terminates this connection. Now there is a company IDS product to find Tunnel hidden in 80, but the cost of these IDS products is not a small and medium-sized businesses.
For the penetration of the firewall, there are some methods, such as finding the design defects of the firewall itself, but those difficulties are too difficult. I am afraid it is not what we should consider. -------------------------------------------------- --------
to sum up:
We reviewed the penetration of the firewall and firewall overnide. Now we should know more clearly that the firewall is not universal, even if it is a well-configured firewall, it is also unable to hide the channel programs hidden under the seemingly normal data. So, what should we do to guarantee its greatest security?
1. Configure the firewall as needed to open the port.
2. Use a strict web program with filtering.
3. Adopt encrypted HTTP protocol (HTTPS).
4. If the condition allows, buy a more powerful NIDS.
5. Manage your intranet users, prevent attackers from directly connecting the firewall directly.
6. Regularly upgrade your firewall products.
Reference:
http://www.http-tunnel.com
Http://security.zz.ha.cn
