Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Stateful Inspection of Firewall-1

Dug Song
August 15, 2000
Technology
0
11

A Stateful Inspection of Firewall-1

Black Hat Briefings 2000 with John McDonald and Thomas Lopatic.

Demonstrated several exploits to bypass Check Point Firewall-1, including a zero-knowledge authentication bypass of the administration channel to disable the firewall completely.

This research resulted in a complete ground-up rewrite of Check Point's market-leading firewall product as Firewall-1 NG.

Dug Song

August 15, 2000
Tweet

More Decks by Dug Song

See All by Dug Song
misecCON 2023
dugsong
0
220
IMPACT 2023
dugsong
0
370
CRCMich: MI Path to a Prosperous Future
dugsong
0
57
Bad Koreans Do Good
dugsong
0
200
Michigan Innovation Summit 2023
dugsong
0
300
MFF State of Innovation - Trista Van Tine
dugsong
0
180
Midwest Mavericks - MGCS 2023
dugsong
0
310
Tech Hubs Statutory Overview
dugsong
0
100
CHIPS R&D and NSTC
dugsong
0
61

Other Decks in Technology

See All in Technology
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
910
Platform Engineering for Software Developers and Architects
syntasso
1
520
強いチームと開発生産性
onk
PRO
34
11k
TypeScript、上達の瞬間
sadnessojisan
46
13k

Featured

See All Featured
Navigating Team Friction
lara
183
14k
Practical Orchestrator
shlominoach
186
10k
Building Your Own Lightsaber
phodgson
103
6.1k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
What's in a price? How to price your products and services
michaelherold
243
12k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
GitHub's CSS Performance
jonrohan
1030
460k
Optimising Largest Contentful Paint
csswizardry
33
2.9k

Transcript

  1. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 1 A Stateful Inspection of FireWall-1 Thomas Lopatic, John McDonald TÜV data protect GmbH [email protected], [email protected] Dug Song CITI at the University of Michigan [email protected] data protect

  2. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 2 Overview • Architecture of FireWall-1 • Attacking the firewall’s state I • FWZ encapsulation • Attacking the firewall’s state II • Attacking authentication between firewall modules • Hardening FireWall-1 • The big picture

  3. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 3 Stateful Inspection I virtual defrag pre-inspection “connections” chain of fragments ACCEPT virtual machine ACCEPT REJECT “connections” “pending”

  4. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 4 Stateful Inspection II UDP replies accepted C C any internal client external server accepted UDP packet S • UDP “connections” • from a client, port C • to a server, port S + wildcard port • <s-address, s-port, d-address, d-port, protocol>

  5. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 5 Stateful Inspection III “PORT 192,168,0,2,4,36” data connection 21 20 1060 “PASV” 21 1060 > 1023 > 1023 > 1023 “227 ... (172,16,0,2,4,36)” FTP server 172.16.0.2 FTP server 172.16.0.2 FTP client 192.168.0.2 FTP client 192.168.0.2 data connection

  6. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 6 Topology Solaris 172.16.0.2 172.16.0.1 194.221.6.159 Windows NT 194.221.6.149 192.168.0.1 OpenBSD 192.168.0.3 Nokia IP-440 Linux 192.168.0.2 Hub Victim network Hostile network

  7. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 7 Fastmode Services • non-SYN packets accepted • Source port = fastmode service • Destination port = fastmode service • Stealth scanning (FINs, ...) 172.16.0.x Internet non-SYNs non-SYNs

  8. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 8 FTP “PORT” Parsing “PORT 172,16,0,258,p1,p2” 172.16.0.2 192.168.0.2 “PORT 172,16,1349632,2,p1,p2” 1349632 = 65536 * (192 - 172) + 256 * (168 - 16) 172.16.1.2 172.16.0.2 data connection Application: bounce attack

  9. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 9 FTP “PASV” Handling “XXXXXXXXXXXXXX227 (172,16,0,2,128,7)” 172.16.0.2 500 Invalid command giv 227 (172,16,0,2,128,7) 192.168.0.2 • Advertise small Maximal Segment Size • Server replies split en: XXXXXXXXXXXXXX

  10. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 10 One-way Connections I TCP header TCP payload TCP header + payload ACCEPT DROP Intranet established one-way connection

  11. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 11 One-way Connections II 172.16.0.2 192.168.0.2 open one-way connection datagram A datagram B open one-way connection retransmission of B [...]

  12. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 12 FWZ Encapsulation I modified IP header IP payload encapsulation info (obfuscated) + 1. original d-address, original protocol 2. d-address = firewall, protocol = 94 • VPN tunneling protocol • Decapsulation without decryption or authentication • Cannot be disabled

  13. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 13 FWZ Encapsulation II Key to spoofing attacks 10.x.x.x 131.159.1.1 s-addr = 10.0.0.1 d-addr = 194.221.6.19 d-addr = 131.159.1.1 194.221.6.19 IP header encapsulation info

  14. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 14 Fake “PORT” Commands FTP client 172.16.0.2 192.168.0.2 s-addr = 172.16.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.2 IP header encapsulation info “PORT 172,16,0,2,128,7” TCP header + payload fake “PORT” packet 192.168.0.1

  15. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 15 RSH Error Connections I “error port is 1025” error connection 514 < 1024 1025 1024 RSH server 192.168.0.2 RSH client 172.16.0.2 • <172.16.0.2, 1024, 192.168.0.2, 514, 6> in “connections” • <172.16.0.2, 1025, 192.168.0.2, magic, 6> in “pending” • Reversed matching

  16. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 16 RSH Error Connections II • s-addr:s-port • d-addr:magic • seq + 1 • 172.16.0.2:1024 • 192.168.0.2:magic • 250001 • s-addr:error-port • d-addr:magic • protocol • 172.16.0.2:1025 • 192.168.0.2:magic • 6 (TCP) • s-addr:s-port • d-addr:magic • seq + 1 • 172.16.0.2:32775 • 192.168.0.2:magic • 6 = seq + 1 = TCP seq = 5 SYN packet #2 (port info)

  17. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 17 Fake UDP Requests DNS client 172.16.0.2 192.168.0.2 s-addr = 172.16.0.2 d-addr = 192.168.0.1 d-addr = 192.168.0.2 IP header encapsulation info s-port = 161 d-port = 53 UDP header fake DNS request 192.168.0.1

  18. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 18 FWZ Encapsulation III Key to non-routable addresses 10.x.x.x 131.159.1.1 s-addr = 131.159.1.1 d-addr = 194.221.6.19 d-addr = 10.0.0.1 194.221.6.19 IP header encapsulation info

  19. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 19 Anti-Spoofing Protection I 192.168.0.2 s-addr = 192.168.0.2 d-addr = 192.168.0.1 s-port = any d-port = 161 1. fake DNS request 2. tunnel to firewall 192.168.0.1 2. s-addr = 192.168.0.1 d-addr = 192.168.0.1 s-port = 161 d-port = 53 1. d-addr = 192.168.0.2

  20. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 20 Anti-Spoofing Protection II 192.168.0.2 s-addr = 192.168.0.2 d-addr = 192.168.0.1 d-addr = 224.0.0.1 s-port = 53 d-port = 161 1. fake DNS request 2. tunnel to firewall 192.168.0.1 2. s-addr = 224.0.0.1 d-addr = 192.168.0.1 s-port = 161 d-port = 53 1. d-addr = 192.168.0.2

  21. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 21 FireWall-1 Modules Management module GUI Filter module Filter module Filter module Port 256/TCP Security policy, status, logs Port 258/TCP Authentication methods S/Key, FWN1, FWA1

  22. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 22 Inter-Module Protocol Version Version IP addresses IP addresses Command Required authentication Management module Filter module Authentication Arguments, Result

  23. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 23 S/Key Authentication Hash n (x) = Hash(Hash(... Hash(x))) = Hash(Hash n- 1 (x)) n times Seed x (password hash) Hash 100 (x) Index = 99 Hash 99 (x) Index = 1 Hash 1 (x) ... Calculate seed y, Hash 100 (y) • “y = MakeSeed(time(NULL))” • Attack: brute force

  24. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 24 FWN1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash(R 2 + K) • Shared key K (“fw putkey”) • Attack: choose R2 = R1 , so that S2 = S1

  25. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 25 FWA1 Authentication Random number R 1 S 1 = Hash(R 1 + K) Random number R 2 S 2 = Hash((R 1 ^ R 2 ) + K) • Shared key K (“fw putkey”) • Attack: choose R2 = 0, so that • R1 ^ R2 = R1 and • S2 = Hash((R1 ^ R2 ) + K) = Hash(R1 + K) = S1 • To be solved: encryption

  26. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 26 Hardening I • Disable implicit rules • DNS • control connections • ICMP • Restrictive access rules • no “any” sources or destinations • deny broadcast / multicast addresses • “minimal privilege” • Properly configure anti-spoofing mechanism • Filter protocol 94 (e.g. IP Filter)

  27. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 27 Hardening II • Different (virtual) IP addresses for public services • Restrict control connections • FWA1 authentication • VPN technology • More than one line of defense!

  28. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 28 Fixes by Check Point Solutions by Check Point available today at http://www.checkpoint.com/techsupport

  29. T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of

    FireWall-1", Black Hat Briefings 2000 29 Thanks. Thomas Lopatic [email protected] John McDonald [email protected] Dug Song [email protected]