Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Next Gen Firewalls

Defeating Next Gen Firewalls

Atlseccon 2016

evandentremont

April 10, 2016
Tweet

More Decks by evandentremont

Other Decks in Technology

Transcript

  1. A Brief History Lesson • NAT • Stateful Firewalls •

    Port Based Rules • Application Based / Deep Packet Inspection • Active Probing
  2. Current State of Affairs NGFW are great for • beating

    script kiddies • beating mass scans • application control ◦ Bittorrent ◦ Netflix To be fair, this is 99.7% of attacks on the internet.
  3. Current State of Affairs NGFW’s don't work against sophisticated attackers

    / advanced threats “Not allowed to call it a APT if it's OWASP top 10” - the Grugq
  4. Evasion Evasion on inside not (usually) picked up by border

    firewall • Network visibility • Behind firewall • IDS doesn't typically inspect internal traffic.
  5. Alert Fatigue • True positive ◦ 99.7% (check this) according

    to fortigate ◦ Comparison to something to put in context • True Negative ◦ Legitimate traffic • False Negative ◦ Hurts more, not measurable • False Positive ◦ Affects reputation of vendor
  6. IP Reputation Antivirus / host level detection model applied to

    networks • Rent a botnet... • How long it takes for reputations to circulate? ◦ About an hour. • Keep within the lag and switch IP ◦ #Snowshoes
  7. IP Reputation - CDN • CDN’s cause collateral Damage ◦

    everyone takes advantage of cloud ◦ You're effectively unbannable on popular CDN ◦ Blocking AWS - 30% of web requests Netflix, Airbnb, Yelp, Comcast, Slack, Adobe, NASA, Dow, CIA...
  8. !Visibility Protocol tunneling / DNS / ICMP • DNS tunnel

    via authoritative servers ◦ Public code to do this! ▪ https://github.com/iagox86/dnscat2 ◦ Add a PAM module that calls [email protected] • Tor ◦ Anonymity network prevents IP Reputation • Legal Dept ◦ Attacks that aren’t publicly disclosed may not in signature lists (for liability reasons)
  9. Signatures • Content Analysis ◦ Deep inspection ▪ Computational complexity

    ▪ Latency ◦ Signature based detection ◦ IDS is reactive have to know about it first ◦ Brittle, signature based, if modified wont be found ▪ Loader around it and xor the binary. ▪ NOOP, obfuscation, etc.
  10. Low Tech Simply bypassing a NGFW is a legitimate attack

    against a NGFW. Concern for internal personnel / contractors • Walk into NSA with a Taylor Swift CD-RW with a single song on it. ◦ Walk out with the Snowden Archives • Dialing out over phone network ◦ 1 (800) BAD-GUYS ext 146 398 832 • Mail a RPi to a non-existent employee ◦ Physical access via their mailroom
  11. Directly exploiting NGFW • Sending malformed executables that bork the

    signature detection ◦ They Fail Open ◦ Failsafe would be a DDOS. No easy answer • Magic Passwords ◦ Assuming vendor doesn’t drop the ball
  12. Cryptography • Certs are cheap to free.. • Let's encrypt

    for malware ◦ https://letsencrypt.org/2015/10/29/phishing-and-m alware.html ◦ “Not our job to be content watchdogs and a DV cert is not that” - Let’s Encrypt • Key pinning (HPKP) ◦ makes MITM implausible ◦ Facebook, Google, Dropbox, tor2web do it.
  13. Cryptography • End to end crypto makes it harder ◦

    Computationally expensive ◦ Introduces latency ◦ SNI collateral • SSL termination is usually impractical ◦ Not everyone can do it; ▪ University can, corp can. BYOD difficult, ▪ ISP can’t ◦ 11% of internet is SSL terminated. ◦ Not generally done at a national scale. ▪ Technically North Korea could • #redstarOS
  14. OSI Layer 8 • Moving further into OSI layers makes

    detection asymptotically more difficult ◦ HPKP means you can’t SSL terminate. ◦ Even if you could... • Hiding within legitimate traffic ◦ Infeasible in realtime ◦ Traditional; Hiding in images ◦ Hiding in videos - Youtube numbers station ◦ Hiding in syntax - HASK talk
  15. The Point What are you trying to protect? If you’re

    pwned, what's the goal? • Your data? ◦ Data loss prevention / Data loss protection ▪ filter can't be rich or intrusive enough • jpg of SIN numbers over Facebook • Sabotage? • Vandalism?
  16. What can I do? • Patch your shit - Julien

    Savoie • Only store what you need to • Airgapped storage ◦ Robot tape loaders ◦ Encrypted offline storage / at rest ◦ Cryptolocker • Host level security ◦ Encryption provides end to end security ◦ The bad guy controls one end; ◦ You control the other.
  17. To be blunt; • On a scale of now to

    infinity… you are getting pwned. • How soon and what do you lose? • Minimizing impact is goal.