Professional Documents
Culture Documents
Techniques used
for bypassing
firewall systems
presented by
Adam Gowdiak
External Bastion
router
Internal
Internet FIREWALL router
corporate
network
FIREWALL Internet
corporate network
Bastion
demilitarised
zone (DMZ) FIREWALL
corporate
network
Corporate network
INTERNET
Intranet
server
Corporate network
Backward connection to attackers
host through HTTP (port 80)
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
20
Firewall attack techniques
The past
n Packet fragmentation
n Source porting (can be still used occasionally)
n Source routing
n Vulnerabilities in TCP/IP stack
n FTP PASV related application proxy vulnerabilities
(dynamic rules were created without properly assuring
that the PASV response string was part of a legitimate
FTP connection)
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
25
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
26
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
27
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
28
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
29
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
30
Firewall attack techniques
Attacks through external systems
(case study)
WWW Communication
server
Database
server
INTERNET
Intranet
server
compromised system
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
31
Firewall attack techniques
Attacks through external systems
(case study) WWW Attackers Communication
code server
Database
server
Corporate network
Attacker’s code gets executed
on the user’s machine
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
32
Firewall attack techniques
Attacks through content
DEMONSTRATION
There are also many other things you should take into
account because they may influence the security of your
network:
n DNS service
n routing/security of routes
Database
server
Corporate network
Attacker owns corporate DNS
server or can spoof DNS replies to it
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
37
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
38
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
39
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
40
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
41
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
42
Firewall attack techniques
Man in the middle attacks
(case study) WWW DNS Server
Database
server
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
43
Firewall attack techniques
Man in the middle attacks
(case study) WWW Attackers DNS Server
code
Database
server
Corporate network
Attacker’s code gets executed
on the user’s machine
yahoo
INTERNET
Intranet
server
Attacker
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
44
Firewall attack techniques
DNS attacks are still the real threat
DEMONSTRATION
CERT-POL34
http://cert.pol34.pl
Copyright @ 2003 Poznan Supercomputing and Networking Center, POL34-CERT
50