Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Next Gen Firewalls

Defeating Next Gen Firewalls

Atlseccon 2016

evandentremont

April 10, 2016
Tweet

More Decks by evandentremont

Other Decks in Technology

Transcript

  1. Defeating Next Gen Firewalls

  2. Topics • Past issues • Current issues • Future issues

    • What can I do?
  3. A Brief History Lesson • NAT • Stateful Firewalls •

    Port Based Rules • Application Based / Deep Packet Inspection • Active Probing
  4. Current State of Affairs NGFW are great for • beating

    script kiddies • beating mass scans • application control ◦ Bittorrent ◦ Netflix To be fair, this is 99.7% of attacks on the internet.
  5. L33T Script Kitty

  6. Current State of Affairs NGFW’s don't work against sophisticated attackers

    / advanced threats “Not allowed to call it a APT if it's OWASP top 10” - the Grugq
  7. Current Issues

  8. Evasion Evasion on inside not (usually) picked up by border

    firewall • Network visibility • Behind firewall • IDS doesn't typically inspect internal traffic.
  9. Alert Fatigue • True positive ◦ 99.7% (check this) according

    to fortigate ◦ Comparison to something to put in context • True Negative ◦ Legitimate traffic • False Negative ◦ Hurts more, not measurable • False Positive ◦ Affects reputation of vendor
  10. IP Reputation Antivirus / host level detection model applied to

    networks • Rent a botnet... • How long it takes for reputations to circulate? ◦ About an hour. • Keep within the lag and switch IP ◦ #Snowshoes
  11. IP Reputation 82.148.97.69

  12. IP Reputation 82.148.97.69

  13. IP Reputation - CDN • CDN’s cause collateral Damage ◦

    everyone takes advantage of cloud ◦ You're effectively unbannable on popular CDN ◦ Blocking AWS - 30% of web requests Netflix, Airbnb, Yelp, Comcast, Slack, Adobe, NASA, Dow, CIA...
  14. !Visibility Protocol tunneling / DNS / ICMP • DNS tunnel

    via authoritative servers ◦ Public code to do this! ▪ https://github.com/iagox86/dnscat2 ◦ Add a PAM module that calls [email protected] • Tor ◦ Anonymity network prevents IP Reputation • Legal Dept ◦ Attacks that aren’t publicly disclosed may not in signature lists (for liability reasons)
  15. Signatures • Content Analysis ◦ Deep inspection ▪ Computational complexity

    ▪ Latency ◦ Signature based detection ◦ IDS is reactive have to know about it first ◦ Brittle, signature based, if modified wont be found ▪ Loader around it and xor the binary. ▪ NOOP, obfuscation, etc.
  16. Low Tech Simply bypassing a NGFW is a legitimate attack

    against a NGFW. Concern for internal personnel / contractors • Walk into NSA with a Taylor Swift CD-RW with a single song on it. ◦ Walk out with the Snowden Archives • Dialing out over phone network ◦ 1 (800) BAD-GUYS ext 146 398 832 • Mail a RPi to a non-existent employee ◦ Physical access via their mailroom
  17. Future Issues We’re assuming we can even inspect traffic..

  18. Directly exploiting NGFW • Sending malformed executables that bork the

    signature detection ◦ They Fail Open ◦ Failsafe would be a DDOS. No easy answer • Magic Passwords ◦ Assuming vendor doesn’t drop the ball
  19. Cryptography • Certs are cheap to free.. • Let's encrypt

    for malware ◦ https://letsencrypt.org/2015/10/29/phishing-and-m alware.html ◦ “Not our job to be content watchdogs and a DV cert is not that” - Let’s Encrypt • Key pinning (HPKP) ◦ makes MITM implausible ◦ Facebook, Google, Dropbox, tor2web do it.
  20. Cryptography • End to end crypto makes it harder ◦

    Computationally expensive ◦ Introduces latency ◦ SNI collateral • SSL termination is usually impractical ◦ Not everyone can do it; ▪ University can, corp can. BYOD difficult, ▪ ISP can’t ◦ 11% of internet is SSL terminated. ◦ Not generally done at a national scale. ▪ Technically North Korea could • #redstarOS
  21. OSI Layer 8 • Moving further into OSI layers makes

    detection asymptotically more difficult ◦ HPKP means you can’t SSL terminate. ◦ Even if you could... • Hiding within legitimate traffic ◦ Infeasible in realtime ◦ Traditional; Hiding in images ◦ Hiding in videos - Youtube numbers station ◦ Hiding in syntax - HASK talk
  22. What’s even the point?!

  23. The Point What are you trying to protect? If you’re

    pwned, what's the goal? • Your data? ◦ Data loss prevention / Data loss protection ▪ filter can't be rich or intrusive enough • jpg of SIN numbers over Facebook • Sabotage? • Vandalism?
  24. What can I do?

  25. What can I do? • Patch your shit - Julien

    Savoie • Only store what you need to • Airgapped storage ◦ Robot tape loaders ◦ Encrypted offline storage / at rest ◦ Cryptolocker • Host level security ◦ Encryption provides end to end security ◦ The bad guy controls one end; ◦ You control the other.
  26. To be blunt; • On a scale of now to

    infinity… you are getting pwned. • How soon and what do you lose? • Minimizing impact is goal.
  27. Any Questions? I hereby unilaterally reserve the right to ignore

    902 Nerds and their agents.