Now, as people's security awareness is strengthened, the firewall generally has been adopted by the company to ensure the security of the network, and the general attacker is generally difficult to invade in the case of a firewall. The following is talked about attacks and tests in a firewall environment.
Basic principle of a firewall
First, we need to understand some basic principles of firewall implementation. The firewall is currently subproved primarily, and the package filter is filtered, and the application layer agent firewall is applied. But their basic implementation is similar.
| | --- Router ----- NIC | Firewall | NIC | ---------- Internal Network | |
The firewall generally has more than two network cards, a ROUTER, and the other is connected to the internal network. When the host network forwarding is turned on, network communication between the two NIC can pass directly. When there is a firewall, he is better than plugging between the NIC and controls all network communication.
Speaking of access control, this is the core of the firewall :), the firewall is mainly judged by an access control form, and his form is generally a series of rules:
1 Accept from source address, port to destination address, port taken action
2 deny ......... (Deny is refused ..)
3 nat .......... (NAT is address transformation.
After receiving the network data package on the network layer (including the following refining road layer), the firewall matches the above rule, and if you meet the pre-scheduled action! If you discard the package. . . .
However, different firewalls have different differences in judging the attack behavior. The following is a combination of possible attacks.
Two attack bag filter firewall
The package filter firewall is the easiest, it intercepts the network packet in the network layer, and detects the attack behavior according to the rule table of the firewall. He is filtered according to the source IP address of the packet; the destination IP address; TCP / UDP source port; TCP / UDP destination port is filtered! ! It is easy to attack the following:
1 IP spoof attack:
This kind of attack is mainly to modify the source, destination address and port of the packet, imitating some legal packets to deceive the firewall detection. Such as: external attacker, change his data source address to the internal network address, the firewall is released by the legal address :). However, if the firewall can match the interface, the address is matched, this attack cannot be successful: (
2 D.O.s denial of service attack
The simple bag filter firewall cannot track the status of TCP, it is easy to reject service attacks, once the firewall is attacked by D.O. S, he may be busy with handling, and forget his own filtering. :) You can spare, but this attack is still very small. !
3 slice attack
The principle of this attack is: In the slice pack of IP, all fraction packages use a slice offset field flag slice package, but only the first fragment contains information with TCP port numbers. When the IP fragmentation is inverted, the firewall only determines whether the passage of the TCP information of the first fragment package is allowed, while other subsequent fractions do not make firewall detection, let them pass.
In this way, the attacker can send the first legitimate IP fragment, deceive the detection of the firewall, and then encapsulate the subsequent fraction package of malicious data, you can directly penetrate the firewall, directly reach the internal network host, threatening the network And the security of the host.
4 Trojan Attack
For the most effective attack of the package filtration firewall is Trojans, one but you installed Trojans in the internal network, the firewall is basically unable to force. The reason is: Packing the filter firewall generally only filter low port (1-1024), and high-port he cannot filter it (because some services should be used to use high ports, so the firewall cannot close the high port), so many Trojans Wait at high ports, such as glaciers, subseven, etc. . .
However, the premise of Trojans is to upload, run the Trojan, which is easy to do for a simple bag filter firewall. It doesn't write this here. Probably the service vulnerability opened by the internal network host.
Early firewalls are this simple packing filtry, which is rare now, but also. The current package filtering is a status detection technology, and the packet filtering firewall is talked below.
Three-attack state detected package filter
Status detection technology is the first Checkpoint proposed, many firewalls in China claim to implement status detection technology.
But :) Many is not implemented. What is the state detection?
In one sentence, status detection is the technology from the TCP connection to the termination tracking detection.
The original package is filtered, and it is a separate packet to match the rules. But we know that the same TCP connection, his packet is related to the front and rear, first is the SYN package, - "Packet =" FIN package. The front and rear serial number of the packet is related.
If these relationships are cut, separate filtering packets, it is easy to be carefully designed to attack data package spoof! ! ! Such as NMAP attack scanning, uses the SYN package, FIN package, and reset package to detect the network behind the firewall. !
Instead, a complete state detects the firewall. He judges in the initiating connection. If the rule is compliant, the status information (address, port, options ..) of this connection is registered in memory, and subsequent packets belonging to the same connection. It is not necessary to detect it. Direct pass. Some carefully enough attack packets are discarded because there is no status information in memory registration. These attack packets cannot be funded by firewalls.
Saying status testing must be mentioned to dynamic rules technology. In status detection, use dynamic rule technology, the original high-port issue can be solved. The principle of implementation is: Usually, the firewall can filter all ports of the internal network (1-65535), and external attackers are difficult to find invasive entry points, but in order not to affect normal services, firewalls must open high ports, Such as (FTP protocol, IRC, etc.), the firewall can dynamically add a rule to open the relevant high ports in memory. After the service is completed, this rule is also deleted by the firewall. In this way, it is guaranteed safe and does not affect normal service, and the speed is fast. !
In general, fully realize the state detection technology firewall, the intelligence is relatively high, some scan attacks can be automatically reacted, so attackers should be very careful not to be discovered.
However, there are also a lot of attack methods to deal with this firewall.
1 protocol tunneling attack
The attack idea of the protocol tunnel is similar to the implementation principle of VPN, and an attacker hides some malicious attack packets in some of the heads of some protocol groups to penetrate the firewall system to attack internal networks.
For example, many simply allow ICMP referral requests, ICMP referrals, and UDP packets are vulnerable to ICMP and UDP protocol tunnels. LOKI and LOKID (Attacks Client and Services) are effective tools that implement this attack. In actual attacks, the attacker must first try to install the Lokid server on a system of the internal network, and the post attacker can embed the attack command that will want the remotely executed attack command (corresponding IP group) through the LOKI client. Department, then send it to the internal network server LOKID, and the commands are executed, and the result is returned in the same manner. Since many firewalls allow ICMP and UDP group free access, the attacker's malicious data can come with a normal grouping, bypassing the firewall's certification, successfully reaching the command of the attack target master is used to launch the Lokid server program:
LOKID-P-I-VL
The Loki client is started as follows:
LOKI-D172.29.11.191 (Attack Target Host) -P-I-V1-T3
In this way, LOKID and LOKI provide a latter door that penetrates the firewall system access target system.
2 Use FTP-PASV to bypass firewall certification
FTP-PASV attack is one of the important means of implementing intrusion against firewalls. At present, many firewalls cannot filter such an attack. For example, in the process of monitoring the package sent to the client on the monitoring FTP server, it looks for "227" strings in each package. If this package is found, the target address and port will be extracted, and the target address is verified. After passing, the TCP connection to the address will be allowed.
The attacker can try to connect to the firewall-protected server and service by this feature. Detailed description visible
Http://www.checkpoint.com/techsupport/alerts/pasvftp.html.
3 rebound Trojan attack
Bounce Trojans are the most effective way to deal with this firewall. Attackers connected to the external attacker controlled host in the internal network, because the connection is initiated from the inside, the firewall (any firewall) is considered a legitimate connection, so the blind spot that is substantially firewall is here. The firewall cannot distinguish between Trojans and legitimate connections.
But the limitations of this attack are: I must first install this Trojan! ! ! All the first steps of all Trojans are the key! ! ! !
Four attack agents
The agent is a firewall running in the application layer. He is essentially two connections, one is a customer to the agent, the other is the agent to the destination server.
Realization is relatively simple, and the same is also filtered according to rule. Since the running speed is slow / 1
There are many ways to attack agency.
Here is WINGATE as an example, simply talking. (too tired)
Wingate is currently an extensive Windows95 / NT proxy firewall software, and internal users can access external networks through a host installed with Wingate, but it also has several security fragile points.
Hackers often use these security vulnerabilities to get Wingate's non-authorized web, socks, and telnet access, which disguise the identity of the Wingate host to attack the next attack target. Therefore, this attack is very difficult to trace and record.
Most of the causes of WINGATE security vulnerabilities are not reasonable settings for Wingate Agent Firewall software based on the actual situation of the network, but simply make software operation after installation of the default settings, this gives the attacker machine.
1 non-authorized web access
Some WINGATE versions (such as 2.1D version under NT systems) In false configuration, allowing external hosts to access the Internet fully anonymously. Therefore, external attackers can use the Wingate host to launch a variety of web attacks on the web server (such as CGI vulnerabilities, etc.), and because all messages of the web attack are passed from the TCP port of the 80th, therefore, very It is difficult to track the source of the attacker. Detection
The way to detect WINGATE hosts has such security vulnerabilities as follows:
1) Connect to the Internet with a connection that is not filtered out (such as dial-up).
2) Point the browser's proxy server address to the Wingate host to be tested.
If the browser accesses the Internet, the Wingate host has a non-authorized web access vulnerability.
2 non-authorized SOCKS access
In Wingate's default configuration, the SOCKS agent (TCP port) is also a security vulnerability. As the open web agent (80 TCP port), external attackers can use the SOCKS agent to access the Internet.
Prevention
To prevent this security fragile point of the attacking Wingate, the administrator can limit the bundle of a particular service. On the Multi Homed system, the following steps are performed to qualify how to provide proxy services.
1 Select the SOCKS or WWWPROXYSERVER attribute.
2 Select a bindings tag.
3 Press the ConnectionsWillBeacceptedonthefollowingInterfaceonly button and specify this Wingate service.
The internal interface of the instructor.
Non-authorized Telnet access
It is the most threatened security vulnerability of Wingate. By connecting to a Telnet service of a mistaked Wingate server, an attacker can use someone host hiding your own trace and attacks an attack.
Detection
The way to detect WINGATE hosts has such security vulnerabilities as follows:
1 Try connecting to a Wingate server using Telnet.
[root @ Happy / TMP] # Telnet172.29.11.191
Trying172.29.11.191 ....
CONNECTEDTO172.29.11.191.
EscapeCharacTeris '^]'.
Wingate> 10.50.21.5
2 If you accept the above response text, enter the site to be connected.
3 If you see the login prompt of the new system, the server is fragile.
ConnectedtoHost10.50.21.5 ... connection
Sunos5.6
Login:
Countermeasure
A method of preventing this safety brittleness from preventing unauthorized SOCKS access is similar. Simply limit the bundle of specific services in Wingate
You can solve this problem. In general, at multihomed system administrators can do with the following steps:
1 Select TelnetSever properties.
2 Select a bindings tag.
3 Press the ConnectionsWillBeacceptedonthefollowingInterface in and specify the internal interface of the WINGATE server.
Fifth
There is a point in the firewall is not just a little above, what do I have written, everyone corrects.
Havigates have been studying the technical and means of attacking the firewall, and the techniques and techniques of attacks are increasingly intelligent and diverse. But on the process of hacker attack firewall, it can probably be divided into three types of attacks.
The first type of attack firewall is to detect what a firewall system installed on the target network and finds this firewall system which services are allowed. We call it to attack the firewall.
The second type of attack firewall is to take address spoof, TCP serial attack and other techniques bypass the firewall's certification mechanism to destroy the firewall and internal network.
