Special Issues for Penetration testing of Firewall

Transcription

1 보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4 호, 2008년 8월 Special Issues for Penetration testing of Firewall Hoon Ko 1) Abstract A firewall is a device or software that controls the traffic of a network. Unfortunately, a firewall has also its weaknesses if not installed properly and appropriate security policy is not implemented. Penetrating a firewall can sometimes cause the network to be offline for several hours or even days (in case if any data was modified), so a methodology is required in order to minimize the damage that can be occurred during the penetration testing of a firewall, a 4-phase methodology to perform a firewall penetration testing is given. Keywords : Penetration Testing, Firewall Penetration Testing, Firewall 1. Introduction Typically, the firewall is placed between an organization network and the outside world (Internet, or another (untrusted) corporate network). We may want to protect information inside our network from being accessed by building internal fireballs. Principally, there are two types of fireballs Packet filtering gateways Application level gateways Packet filtering gateways use the source or destination host to determine if the packet is allowed to pass the gateway. In general, no context is needed or kept and decisions are made based by the information in the header of the current packet. You can define which addresses are trusted to pass the gateway. This sort of firewall is normally quite cheap to implement, as today most routers have filtering capabilities. However, logging and alarming is normally not supported by routers and FTP, X11 and DNS services are not easy to implement properly [2]. Another problem that could exist with using a packet filter as our firewall is the handling of IP fragments are handled. Normally, fragments are passed through the gateway as they are no threat to the inside system (either they can be reassembled and therefore the address/port of the first fragment was valid or they are dropped by the destination host) but if information leakage is a concern of yours, a Received(March 28, 2008), Review request(march 29, 2008), Review Result(1st:April 18, 2008, 2nd:May 08, 2008) Accepted(August 31, 2008) 1 Doctor Researcher GECAD,ISEP, IPP, Rua Dr. Antonio Bernardino de Almeida, 431, , Porto, Portugal hko@isep.ipp.pt 303

2 Special Issues for Penetration testing of Firewall packet filter may not be the best solution. A packet filtering gateway also has to have the capability to detect from which side (on which interface) a packet is arriving or it is vulnerable to an IP-spoofing attack Application level gateways (Proxies) do not rely on general purpose mechanisms to allow traffic to pass but use special purpose code for each desired service. The settings of filter rules do not need to be relied upon and therefore are not vulnerable to their possible interactions. One of the big advantages of application level gateways is their capability to log all incoming and outgoing traffic. Rules can be established that allow only certain persons/departments to use an outgoing service (like WWW or FTP). This can help to prevent disclosure or theft of company property. In addition to logging, proxy type firewall have the capability to examine these logs and produce an alarm ( message, pager notification) to the responsible administrator. These messages are created when the connection attempts that are made seem to be hostile or non-authorized. With these capabilities, the security personnel can either react to an attack or, after the incident, reconstruct what happened. 2. Penetrating a firewall 2.1 Outer Information gathering Outer Information gathering means attempting to obtain information from sources outside the target network so that the information probes cannot be detected by the target organization. Significant amount of information about the target firewall and network could be gathered at this phase. First, publicly available information from sources outside the network should be used. These are services like nslookup or whois to get an idea about the structure of the targeted network. This should principally not reveal inside information on the network but sometimes topologies are exported although this should not be the case. Another source of information is to search on the internet. Target s anonymous FTP and WWW servers could be accessed if they are available (listing directories on WWW servers if it is not disabled also can give useful information). A search of newsgroups for postings made by employees of the target. Annual reports and trade publications can yield important information, such as alliances with other companies (useful in determining potential attack channels from ) or important product areas. A search of Usenet postings can result in more useful information, such as machine names, user names, addresses, and interests. While some of the information obtained in these manners may not be directly useful, it may aid in a social engineering attack (should the clients of the pen test authorize such an attack). 2.2 Inner Information Gathering 304

3 보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4 호, 2008년 8월 Inner information gathering involves information gathering from sources within the target network itself. The client organization is likely to notice the penetration team's activity at this phase. The first step is get the information that is available from the target network's DNS will include information about any firewall systems, possibly an internal mail host, any systems intended for public access that are located within in the DMZ, and perhaps several routers. After using nslookup to obtain information, the testing team next scans networks for hosts. This task can be time consuming, depending on the size of the target network, and we typically skip this task when the client requires that testing be accomplished within a very short time span. The least time is required when the only reachable part of the network is the DMZ and gateway systems therein. If the firewall allows scanning of the internal network(s), the testing team will gain information that is extremely useful in launching attacks later, but in this case scanning will typically require a considerable amount of time. Two methods for scanning network address spaces for hosts are available. Both involve attempting to connect to every possible IP address within an address space. The first method uses the ping command. The second method requires that the testing team attempt a connection to TCP port 25. Routers can drop ICMP echo (ping) packets, so sending at least three packets to each address is advisable. (We normally use 5 packets.) The TCP connection method is much slower, because the connection must wait to time out before it determines a host is unreachable. Some firewalls, however, will block ICMP echo requests, but not TCP connections to internal hosts. Every host that responds is a potential port of entry to the target's internal networks. 2.3 Outer Penetration Attacks on a firewall should be approached with extreme caution. An attack that modifies a firewall or causes it to crash can disrupt an entire network for hours and even days. So the test we stop the test at the point if a vulnerability is found, that can modify the settings and should be explained to the client what has been discovered and why was the test stopped. Once the testing team has a list of hosts and services, attacks on the target firewall and the network it protects are launched. This stage of activity, therefore, involves two distinct types of attacks. The first set of attacks is thus directed against the firewall itself. The second attacks are against hosts within the security perimeter that the firewall and possibly other components are supposed to create; the purpose of these attacks to determine how well the firewall screens these incoming attack attempts. A firewall's bastion host often runs services (for example. the mail daemon) that are not adequately secured. These services are the first targets of the attacks. Some firewalls allow telnet connections from IP addresses external to the network, and, worse yet, have numerous active accounts that should have been disabled, but 305

4 Special Issues for Penetration testing of Firewall were not. Even if a firewall is resistant to penetration from an external location, internal hosts and even hosts in the DMZ are often accessible from outside the network. Firewall construction doctrine dictates that any host in the DMZ, such as the ftp or www server, should be expendable systems (that is, breaching their security mechanisms should not put the network at greater risk). These expendable hosts are too often trusted by the firewall in some fashion. Once all attacks against the firewall have been launched, next are against host machines within the client s network. First, attempt to telnet, then use login to obtain a shell on these machines. Using different IP addresses from different domains to launch these attacks provides a better test of the robustness of the IP address screening rules. A test for trusted host access is also useful. The likelihood of success using telnet/rlogin and rlogin is, however, typically small. Next, need to determine whether available services can be used to gain access to these systems. Some of the most useful services to attack are the Network File System (NFS), the Network Information Service (NIS), and the mail daemon (sendmail). This phase of penetration should trigger alarms within the firewall and target hosts within the internal network; network administrators should notice the firewall testing activity shortly after it commences. Whether or not the testing activity is detected is, in fact, one of the most important findings that should be carefully documented in the report issued afterwards. 2.4 Inner penetration 306 The final step is to penetrate the firewall from an internal host within the client s network. In this phase the target is more often the operating system on which the firewall is running. Some good tools can be used to test for OS vulnerabilities (SATAN, ISS..). This part of the test also simulates the scenario in which an external attacker exploits leakage in a network s security perimeter to gain access to one or more internal hosts, then attacks the firewall from one or more of these hosts to modify the firewall, permitting free and easy external access to the network. The penetration testing activity should not result in any changes to the client s firewall, because changes are likely to be disruptive. The testing team should simply instead note how (if at all) the firewall can be compromised. If the Penetration in phase 3 is not successful, the client organization must grant the penetration testing team access to one or more internal hosts if phase 4 penetration is to proceed. If the firewall is not running some exposure-laden software in the first place, a sure way to gain root access on one or more hosts within the internal network is to install a network sniffer program within the network segment on which the firewall is located and wait for an administrator to connect. In this manner an administrator's login/password combination can be sniffed; obtaining this information in this manner makes

5 보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4 호, 2008년 8월 gaining root access to the firewall easy. Trusted host access from a machine within the internal network is also often an effective attack method in phase Conclusion Proposed test methodology proceeds in four penetration phases. Phase 1 involves non-obtrusive information gathering in an attempt to gain sufficient information to allow meaningfully proceeding to deeper attack levels. Phase 2 entails intrusive, inner information gathering, although no active attempts to penetrate the network occur at this layer. Phase 3 attempts to penetrate the firewall and hosts within the target network are initiated from a host outside of the network. The final phase, phase 4, involves attempting to compromise the firewall security software, configuration, or operating system itself from hosts within the network Reference [1] Boran Sean, IT Security Cookbook, Draft V [2] Cheswick / Bellovin, Firewalls and Internet Security, Addison-Wesley, 1994 [3] Reto E. Haeni, Firewall Penetration Testing, 1997 [4] Cheswick, W.R. and Bellovin, S.M. (1994) Firewalls and Internet Security: Repelling the Wily Hacker. Reading, Mass.: Addison-Wesley [5] Schultz, E.E. (1996) Effective Firewall Testing. Computer Security Journal [6] Philip R. Moyer, A Systematic methodology for firewall Penetration testing Authors Hoon Ko Ph.D. School of Computing, Soongsil University, S Korea, August MS. School of Computing, Soongsil University, S Korea, February 2000nBS. Department of Computer Science, Howon University, Gunsan, S Korea, February Doctor Researcher GECAD, ISEP, IPP. Rua Dr. Antonio Bernardino de Almeida, 431, , Porto, Portugal 307

6 Special Issues for Penetration testing of Firewall 308