Defeating Next Gen Firewalls

Transcript

1. Defeating Next Gen Firewalls

2. Topics • Past issues • Current issues • Future issues

   • What can I do?

3. A Brief History Lesson • NAT • Stateful Firewalls •

   Port Based Rules • Application Based / Deep Packet Inspection • Active Probing

4. Current State of Affairs NGFW are great for • beating

   script kiddies • beating mass scans • application control ◦ Bittorrent ◦ Netflix To be fair, this is 99.7% of attacks on the internet.

5. L33T Script Kitty

6. Current State of Affairs NGFW’s don't work against sophisticated attackers

   / advanced threats “Not allowed to call it a APT if it's OWASP top 10” - the Grugq

7. Current Issues

8. Evasion Evasion on inside not (usually) picked up by border

   firewall • Network visibility • Behind firewall • IDS doesn't typically inspect internal traffic.

9. Alert Fatigue • True positive ◦ 99.7% (check this) according

   to fortigate ◦ Comparison to something to put in context • True Negative ◦ Legitimate traffic • False Negative ◦ Hurts more, not measurable • False Positive ◦ Affects reputation of vendor

10. IP Reputation Antivirus / host level detection model applied to

    networks • Rent a botnet... • How long it takes for reputations to circulate? ◦ About an hour. • Keep within the lag and switch IP ◦ #Snowshoes

11. IP Reputation 82.148.97.69

12. IP Reputation 82.148.97.69

13. IP Reputation - CDN • CDN’s cause collateral Damage ◦

    everyone takes advantage of cloud ◦ You're effectively unbannable on popular CDN ◦ Blocking AWS - 30% of web requests Netflix, Airbnb, Yelp, Comcast, Slack, Adobe, NASA, Dow, CIA...

14. !Visibility Protocol tunneling / DNS / ICMP • DNS tunnel

    via authoritative servers ◦ Public code to do this! ▪ https://github.com/iagox86/dnscat2 ◦ Add a PAM module that calls [email protected] • Tor ◦ Anonymity network prevents IP Reputation • Legal Dept ◦ Attacks that aren’t publicly disclosed may not in signature lists (for liability reasons)

15. Signatures • Content Analysis ◦ Deep inspection ▪ Computational complexity

    ▪ Latency ◦ Signature based detection ◦ IDS is reactive have to know about it first ◦ Brittle, signature based, if modified wont be found ▪ Loader around it and xor the binary. ▪ NOOP, obfuscation, etc.

16. Low Tech Simply bypassing a NGFW is a legitimate attack

    against a NGFW. Concern for internal personnel / contractors • Walk into NSA with a Taylor Swift CD-RW with a single song on it. ◦ Walk out with the Snowden Archives • Dialing out over phone network ◦ 1 (800) BAD-GUYS ext 146 398 832 • Mail a RPi to a non-existent employee ◦ Physical access via their mailroom

17. Future Issues We’re assuming we can even inspect traffic..

18. Directly exploiting NGFW • Sending malformed executables that bork the

    signature detection ◦ They Fail Open ◦ Failsafe would be a DDOS. No easy answer • Magic Passwords ◦ Assuming vendor doesn’t drop the ball

19. Cryptography • Certs are cheap to free.. • Let's encrypt

    for malware ◦ https://letsencrypt.org/2015/10/29/phishing-and-m alware.html ◦ “Not our job to be content watchdogs and a DV cert is not that” - Let’s Encrypt • Key pinning (HPKP) ◦ makes MITM implausible ◦ Facebook, Google, Dropbox, tor2web do it.

20. Cryptography • End to end crypto makes it harder ◦

    Computationally expensive ◦ Introduces latency ◦ SNI collateral • SSL termination is usually impractical ◦ Not everyone can do it; ▪ University can, corp can. BYOD difficult, ▪ ISP can’t ◦ 11% of internet is SSL terminated. ◦ Not generally done at a national scale. ▪ Technically North Korea could • #redstarOS

21. OSI Layer 8 • Moving further into OSI layers makes

    detection asymptotically more difficult ◦ HPKP means you can’t SSL terminate. ◦ Even if you could... • Hiding within legitimate traffic ◦ Infeasible in realtime ◦ Traditional; Hiding in images ◦ Hiding in videos - Youtube numbers station ◦ Hiding in syntax - HASK talk

22. What’s even the point?!

23. The Point What are you trying to protect? If you’re

    pwned, what's the goal? • Your data? ◦ Data loss prevention / Data loss protection ▪ filter can't be rich or intrusive enough • jpg of SIN numbers over Facebook • Sabotage? • Vandalism?

24. What can I do?

25. What can I do? • Patch your shit - Julien

    Savoie • Only store what you need to • Airgapped storage ◦ Robot tape loaders ◦ Encrypted offline storage / at rest ◦ Cryptolocker • Host level security ◦ Encryption provides end to end security ◦ The bad guy controls one end; ◦ You control the other.

26. To be blunt; • On a scale of now to

    infinity… you are getting pwned. • How soon and what do you lose? • Minimizing impact is goal.

27. Any Questions? I hereby unilaterally reserve the right to ignore

    902 Nerds and their agents.