1 / 38

How to bypass the firewall

How to bypass the firewall. Guo, Pei November 06, 2006. Why do we need the firewall ? What is the firewall ? How to bypass the firewall ?. Seminar "Computer Security" November 06, 2006 2. Part I

irish
Download Presentation

How to bypass the firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to bypass the firewall Guo, Pei November 06, 2006

  2. Why do we need the firewall ? What is the firewall ? How to bypass the firewall ? Seminar "Computer Security" November 06, 2006 2

  3. Part I Why do we need the firewall ? Seminar "Computer Security" November 06, 2006 3

  4. The internet is only research-oriented when it occurs and its communication protocols were designed for a more benign and safe environment than now. • There have had over one million computer networks and well over one billion users by the end of the last century, but the internet is twisted steadily from the initial one and its environment is much less trustworthy. It contains all the dangerous situations, nasty people, and risks that we can find in the true-life society as a whole. • When a network is connected to the outside, the communication between them are bi-directional. Therefore, it is very important for the users to protect their local system from the spiteful attack from the outside. Why do we need the firewall ? Seminar "Computer Security" November 06, 2006 4

  5. Part II What is the firewall ? Seminar "Computer Security" November 06, 2006 5

  6. Terminology of the firewall • In our common sense, the term "fire wall" originally meant, and still means, a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. • In computer science, the term “fire wall” is a kind of gateway that restricts and controls the flow of traffic between networks, typically between an internal network and the Internet. It is inserted between your network and the outside network to build up a controlled link and an outer security wall. Seminar "Computer Security" November 06, 2006 6

  7. All the traffics between the inside and outside network must pass through and be checked by the firewall. • Only authorized traffics, as defined in the local security policy, are allowed to pass the firewall. • The firewall itself is immune to penetration. Characteristics of the firewall Seminar "Computer Security" November 06, 2006 7

  8. A firewall should keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. • A firewall should provide a location for monitoring, auditing and alarming security-related events. • A firewall should be a convenient platform for some Internet functions that are not security related. These included a network address translator, which maps local address to Internet address, and a network management function that audits or logs Internet usage. Capabilities of the firewall Seminar "Computer Security" November 06, 2006 8

  9. The firewall can NOT protect against these attacks that bypass the firewall. • The firewall can NOT protect against the internal threats. • The firewall can NOT protect against the transfer of virus-infected programs or files. Limitations of the firewall Seminar "Computer Security" November 06, 2006 9

  10. The technology of firewall is presented in the late 1980s when the Internet still was a fairly new technology in terms of its global use and connectivity. • Generations: - Packet filtering: the first paper on it published in 1988 - Stateful inspection: in early 1990s - Circuit-level gateway: 1980 - 1990 - Application-level gateway: in 1990s - Other generations: Any or all of the above can be combined Generations of the firewall Seminar "Computer Security" November 06, 2006 10

  11. OSI model: Some knowledge related to the firewall Seminar "Computer Security" November 06, 2006 11

  12. Private network The common types of the firewall • Type 1: Packet-filtering router • Network layer firewall • Original and the most basic firewall • Control the flow of data by the information in the packet header: - Source Address - Destination Address - Protocol used for transferring the data • Direct connection between the internal network and outside network Seminar "Computer Security" November 06, 2006 12

  13. The common types of the firewall • Type 1: Packet-filtering router • PROS: • - Transparency and high performance • - Easy implementation and maintain • - Application Independence • CONS: - Low security • - No screening above network layer • (No 'state' or application-context information) Seminar "Computer Security" November 06, 2006 13

  14. Private network The common types of the firewall • Type 2: Stateful inspection • Also knows as dynamic packet filtering • Adds stateful inspection modules between the data-link layer and network layer • Extracts some state-related information required for security decisions from the application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. • Direct connection between the inside and outside network Seminar "Computer Security" November 06, 2006 14

  15. The common types of the firewall • Type 2: Stateful inspection • PROS: - Higher security than packet filtering router - Extensibility, transparency and high performance • CONS: - No application level security is provided - Do not look at the packets as close as application-level gateway Seminar "Computer Security" November 06, 2006 15

  16. Private network The common types of the firewall • Type 3: Circuit-level gateway • Transport layer firewall • Creates a circuit (connection) between the internal host and the outside server by acting as an agent without interpreting the application level information • More like a packet filter with the ability to hide the client Seminar "Computer Security" November 06, 2006 16

  17. The common types of the firewall • Type 3: Circuit-level gateway • PROS: - Higher security than packet filtering router - Higher performance than application-level gateway - Can be implemented with a large number of protocols as no need to comprehend the information at the protocol level • CONS: - Once a connection is established it is always possible to send malicious data in the packets. Seminar "Computer Security" November 06, 2006 17

  18. Private network The common types of the firewall • Type 4: Application-level gateway • Application layer firewall • Performs all the basic functions of the circuit-level gateway with better traffic monitoring • Comprehend information at the higher levels in the TCP/IP stack up to the application layer • Not allow direct connections between an internal host and an external server under any circumstances Seminar "Computer Security" November 06, 2006 18

  19. The common types of the firewall • Type 4: Application-level gateway • PROS: - Good security - Full application-layer awareness • CONS: • - Poor Performance • - Limited Application Support • - Poor Scalability (Breaks client/server model) Seminar "Computer Security" November 06, 2006 19

  20. Part III How to bypass the firewall ? Seminar "Computer Security" November 06, 2006 20

  21. How to bypass the firewall ? • “Legal” ways: - IP address spoofing - Source routing - Tiny fragments • “Illegal” ways: - Rootkit - Trojan Seminar "Computer Security" November 06, 2006 21

  22. Terminology of IP address spoofing IP address spoofing can be defined as an intentional misrepresentation of the source IP address in an IP packet in order to conceal the identity of the sender or to impersonate another computing system. In IP address spoofing, the user gains unauthorized access to a computer or a network by making it appear that the message comes from a trusted machine by “spoofing” the IP address of that machine. Seminar "Computer Security" November 06, 2006 22

  23. Theory of IP address spoofing • Internet protocol (IP) is a network protocol operating at network layer of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. The basic unit of data transfer in a packet network is called an IP packet. • IP packet header: Seminar "Computer Security" November 06, 2006 23

  24. Theory of IP address spoofing • Transmission control protocol (TCP) is operating at transport layer of the OSI model. Unlike IP, TCP uses a connection-oriented design. It means that the users in a TCP session must build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK). • TCP packet header: Seminar "Computer Security" November 06, 2006 24

  25. Theory of IP address spoofing • The TCP/IP protocol suite uses numeric identifiers called IP addresses to uniquely identify computers on a network. • Because some systems rely on source IP addresses as a means of authentication. Access to a system or services provided by a system is decided based on the claimed source IP address contained in the packet. Using some kinds of tools, the users can easily modify these addresses, specifically the “source address” field, to make them to bypass the firewall. Seminar "Computer Security" November 06, 2006 25

  26. B A C: Theory of IP address spoofing A impersonates C (trusted machine) to spoof B: Seminar "Computer Security" November 06, 2006 26

  27. Terminology of source routing Source routing is a technique that the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the "destination IP address" and choose the next hop to forward the packet. In source routing, the "source" (i.e. the sender) makes some or all of these decisions. Seminar "Computer Security" November 06, 2006 27

  28. E E F A C D B C Theory of source routing A: Sender F: Destination To bypass the firewall, the sender A specific the routing: A -> B -> C -> D -> E -> F Seminar "Computer Security" November 06, 2006 28

  29. Terminology of tiny fragment Tiny fragments is a means that the user uses the IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment. This way is designed to bypass the filtering rules that depend on TCP header information. The users hopes that only the first fragment is examined by the filtering router and the remaining fragments are passed through. Seminar "Computer Security" November 06, 2006 29

  30. Theory of tiny fragment TCP header information Seminar "Computer Security" November 06, 2006 30

  31. Concrete example bypassing firewall - SSH • Prerequisites: • A computer at home that you can leave connected to the Internet when you're at work. The Internet connection at home should be fast, usually cable or DSL. (Technically, this can work with a dialup modem connection, but it may cause problems and it's really slow.) • Linux, Unix, Microsoft Windows NT, 2000, or XP installed on your computer at home. • Linux, Unix or any flavor of Windows on your computer at work. Seminar "Computer Security" November 06, 2006 31

  32. Concrete example bypassing firewall - SSH • Run an SSH server on your computer at home. • Use an SSH client on your computer at work to create a secure tunnel between your home and work computers. • Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy. • Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly. Seminar "Computer Security" November 06, 2006 32

  33. Concrete example bypassing firewall - SSH Using an SSH tunnel with Dynamic Forwarding: Seminar "Computer Security" November 06, 2006 33

  34. Rootkit Rootkit (also written as “Root kit”) is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkit is known to exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows. Seminar "Computer Security" November 06, 2006 34

  35. Trojan In the computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply Trojan. Seminar "Computer Security" November 06, 2006 35

  36. Part VI Conclusion Seminar "Computer Security" November 06, 2006 36

  37. Review The needs and origin the firewall The essentials of the firewall - The definition, characteristics, and capabilities/limitation of the firewall - The generation and types of the firewall The principles on how to bypass the firewall - “Legal” ways - “Illegal” ways Seminar "Computer Security" November 06, 2006 37

  38. Thanks, all you!!! Seminar "Computer Security" November 06, 2006 38

More Related