by Neil Lynch
Hardening the Hardware Firewall
Inevitably, some attacks will get through the network firewall and reach individual hosts which can be devastating to a company. In this project I’ll briefly discuss the hacker’s motives and partial techniques, explain the function of a firewall, its vulnerabilities, and proven (tested) recommendations to harden it from the probing attacker.
The malicious hacker’s motive, as opposed to the hacker who breaks-in for the thrill, (to demonstrate a company’s vulnerabilities) entails:
Breaking into corporate networks
Hacking into accounts without authorization
Stealing confidential data
Doing damage to critical infrastructure
Disrupting business continuity (day-to-day revenue generating operations)
Denial-of-service attacks, etc.
“Hacked computer systems remain one of the most dangerous and frightening fears of the modern era … often it is unclear that a computer system has been hacked until it is too late” (laws.com).
The hacker studies his victim:
Once the hacker has completed his reconnaissance and decides on his victim, he then penetrates the vulnerable firewall in one of many ways: via holes in the Access Control List (ACL), Zero-day exploits, etc., to acquire the target IP address range where he’ll starts probing the network for vulnerable hosts.
He sends probe packets into a network designed to elicit replies from internal hosts and routers within the address range. When a host receives an ICMP Echo reply message from an IP address, it knows there is a live host at that IP address. Once the hacker knows the IP address of live hosts, he needs to know what program the identified hosts are running because most attacks rely on the vulnerabilities in specific programs… The attacker sends port scanning probes to each identified host in order to determine which application the host is running. Once the attacker knows what programs the identified host is running, he can exploit the vulnerabilities in these specific programs. If the exploit succeeds, the attacker "owns" at least an account and may "own" the computer itself … Attackers take steps to make their actions more difficult to detect or analyze; hackers spoof their IP address, so as not to be identified. (Boyle et al. 32-33)
The hardware firewall, programmed by an administrator, contain preventative measures … designed to block unauthorized entry into the company’s network; the firewall, physically located between the internet and the network, filters all traffic before it enters the network … (ingress filtering) and also filters all packets before it leaves the network … (egress filtering), using a firewall technology called Stateful Packet Inspection.
SPI uses different specific examination methods depending on the state of the connection; it is important to check for different things during different states.
According to Rouse, Stateful inspection, also known as dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
Stateful inspection has largely replaced an older technology, static packet filtering. In static packet filtering, only the headers of packets are checked -- which means that an attacker can sometimes get information through the firewall simply by indicating, "reply" in the header. Stateful inspection, on the other hand, analyzes packets down to the application layer. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement a much tighter security posture than a static packet filter can.
Stateful inspection monitors communications packets over a period of time and examines both incoming and outgoing packets. Outgoing packets that request specific types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed through the firewall.
In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific needs. In a typical network, ports are closed unless an incoming packet requests connection to a specific port and then only that port is opened. This practice prevents port scanning, a well-known hacking technique. (techtarget.com)
“The hardware firewall allows a large organization to have a central solution for its firewall needs…. Configuration changes to a hardware firewall affect all the computers on that network; thus, those changes do not have to be carried out on each and every computer” (Ezeobika, Yahoo!).
It’s the responsibility of the network administrator to set parameters and counter-measures, to harden the firewall from relentless hack-attacks. For example,
A firewall examines each packet passing through it. If the packet is a provable attack packet, the firewall drops the packet. If the packet is not a provable attack packet, the firewall passes the packet on to its destination. In firewalls, this is called a pass/deny decision. Note that a firewall passes all packets that are not provable attack packets. This means that it will pass any true attack packet that is not a provable attack packet. This will allow attack packets to get through to their target. (Boyle et al. 314)
So if an attacker gains the ability to turn it off or even to manipulate a firewall to allow certain traffic, the result could be disastrous.
For example, assume that the subnet 200.1.1.1/24 is considered malicious and that the security administrator has dutifully configured the (ACL) to block all inbound and outbound traffic to that subnet. If a nefarious individual successfully obtains management access to the firewall, they could wreak havoc with authorized network traffic, and certainly foster all sorts of malicious traffic and system requests. Altering the ACL to permit traffic to the above-mentioned subnet is merely an academic exercise as all manner of havoc can be wreaked by said nefarious individuals. (Casey, techtarget.com)
“Consequently, it is important to harden hosts to protect them against attack packets that the firewall does not drop” (Boyle et al. 314).
Here are a few reasons (vulnerabilities) requiring the administrator’s perpetual vigilance and countermeasures:
Zero-day exploits
Holes in ACL rules (passing any true attack packets that is not a provable attack packet)
Improper configuration (rendering a firewall useless)
Outdated virus definitions and security updates, etc.
Outdated firmware devices
Unpatched Operating Systems
To harden. these vulnerabilities the administrator should already be in possession of an executable/ contingency plan. In addition to, (using proven “successfully tested” recommendations):
Upgrading firmware devices
Downloading and installing patches for operating system vulnerabilities (Windows Server does this automatically).
Before upgrading firmware and installing patches … back-up, back-up, back-up, your system.
We should also be running the most recent version of our licensed product and have the most up-to-date security content and virus definitions. Reading operating-system log files regularly to look for and counter … suspicious activities is essential; “one of the first things many hackers do after taking over a device is to delete or at least disable event logging” (Boyle et al. 570). To prevent this intrusion firewall administrator must write more filtering rules and in actual cases of attacks, (like zero-day, SQL-injection, etc.) respond quickly to maintain business continuity.
Moreover, by eliminating other unnecessary services, which can create vulnerabilities for the host (utilizing ram and processing power), we can increase the performance, hence the safety.
Other recommendations for hardening the system:
Managing Users and Groups – Every user must have an account, individual accounts can be consolidated into groups.
Managing permissions – Specify and assign permissions.
Create strong passwords – Password policies must be long and complex; at least 8-characters, upper and lower case letters, numbers, and special characters.
Black holing attacker’s IP addresses
Testing for vulnerabilities – Mistakes will be made in hardening; do vulnerability testing, follow security baseline … it ensures uniformity in hardening (Boyle et al. 378).
It’s an enduring battle for the firewall administrator, counteracting the exploits of the hacker’s morphing motives and newly acquired ways (of counteracting the firewall administrator’s preventative measures). It’s a vicious cycle.
As stated above, the centrally located hardware firewall and attempts at hardening it from the malicious hacker, required administrative programming of the centrally located firewall: ingress and egress filtering of packets using SPI technology, which rejects (provable attacks packets), externally initiated connection-opening attempts via ACL signatures, etc.; (SPI replaced SPF). Egress filtering prevents replies to probe packets from leaving the network, deterring the hacker.
Administrating the ACL and configuring the centrally located firewall affects all computers on the network (this is good, security-wise, programming-wise, and administratively). Based on connect-type (packet state) and ACL scrutiny, provable attack packets are dropped, not-provable (potential attack packets) are passed.
Countering vulnerabilities like zero-day exploits, holes in the ACL, improper configuration, etc., and hardening vulnerabilities using executable contingency plans, proven recommendations (upgrading firmware devices, backing-up then installing patches, eliminating unnecessary services, etc.), should’ve given us a heightened understanding of the hardware firewall, its logging abilities, and the administrator’s relentless efforts to decipher these logs while shielding the network.
Work Cited
Laws.com Purpose of Hacking.
< http://criminal.laws.com/computer-crime/hacking/hacking-purpose >
Boyle, Randall J., and Raymond. R. Panko. Corporate Computer Security. New Jersey: Prentiss
Hall, 2013. Print
Ezeobika M.D., Chukwumah. The Advantages and Disadvantages of Hardware and Software
Firewalls. Hardware Vs. Software Firewalls: Which is Better? Yahoo, 25 Feb. 2011 .
< http://voices.yahoo.com/the-advantages-disadvantages-hardware-software-7927614.html >
Casey, Brad. Network Security. Enterprise firewall protection: Where it stands, where it's
headed .Web. Published: 02 Dec 2013
< http://searchsecurity.techtarget.com/tip/Identifying-and-preventing-router-switch-and-firewall-vulnerabilities >
Rouse, Margaret. Stateful Inspection. Web. Oct. 2009.
< http://searchnetworking.techtarget.com/definition/stateful-inspection >
<http://whatis.techtarget.com/contributor/Margaret-Rouse >
No comments:
Post a Comment