A comprehensive analysis of the firewall and the firewall of penetration-vulnerability warning-the black bar safety net

A firewall description

A firewall is a function, it makes the internal network and the external network or the Internet, isolated from each other, in order to protect the internal network or host. A simple firewall may consist of Router,3 Layer Switch ACL access control list to act as, you can also use a host, or even a sub-network to achieve. Complex can buy a dedicated hardware firewall or software firewall to achieve.

The firewall features are:

1, the filter out unsafe services and illegal users

2, The control of special site access

3, to provide monitor Internet Security and early warning of convenient endpoints

A firewall is not a panacea, and there are also many firewalls powerless places:

1, firewall-proof still bypass the firewall to attack. For example, the firewall does not limit from the internal network to the external network is connected, then, some internal users may form a direct access to the Internet, bypassing the firewall, causing a potential backdoor. A malicious external user is directly connected to the internal users on the machine, to the internal user’s machine as a springboard, launched to bypass the firewall unrestricted attack.

2, firewall not anti-virus wall, can not intercept the sick poison of the data in the network between the spread.

3, firewall, data-driven attacks are powerless.

Therefore, we cannot be overly dependent on the firewall. Network security is a whole, is not a particularly good configuration. Network security follow“casks principle”.

In General firewalls have the following features:

1, A wide range of service support: through a dynamic, application-layer filtering capabilities and the authentication phase in combination, can achieve the WWW browser, HTTP server, FTP, etc.;

2, The private data of the cryptographic support: to ensure that the the Internet through for VPN and business activities do not damage;

3, client authentication to allow only specified users to access the internal network or choose a service: enterprise local network and branch offices, business partners and mobile users for secure communication between the additional portion;

4, The Anti-spoofing: spoofing is acquired from the outside network access of the common means, which enables the data packet comes from within the network. The firewall can monitor such data packet and can throw them;

5, the C/S mode and cross-platform support: enable to run in a Platform Management Module control to run in another platform for the monitoring module.

Let’s look at the traditional firewall works and the advantages and disadvantages:

1． (Traditional)packet filtering firewall works

Packet filtering in the IP Layer, and therefore, it can only use router complete. Packet filtering based on packet source IP address, destination IP address, source port, destination port, and packet transmission direction and other header information to determine whether to allow the packet through. Filter user-defined content, such as IP address. Its working principle is a system in the network layer packet inspection, and application layer Independent, the packet filter is widely used, because the CPU used to process the packet filtering time can be negligible. And such protective measures transparent to the user, the legitimate user in and out of the network, simply do not feel it’s there, very easy to use. So the system has good transmission performance, easy extension. However, this firewall is less secure, because the system the application layer information of the non-perception–that is, they do not understand the content of the communication, not at the user level filtering, i.e., can not identify different users and to prevent IP address theft. If an attacker put yourself in the host’s IP address into a valid host IP address, you can easily pass the packet filter, it is easier to be hacked. Based on this working mechanism, the packet filtering firewall has the following defects:

Communication of information: packet filtering firewall can only access part of the data packet header information;

Communication and application state information: packet filtering firewall is stateless, so it is impossible to save from the communication and application state information;

Information processing: the packet filtering Firewall the ability to process information is limited.

For example, for Microsoft IIS, vulnerability in the Unicode attack, because this attack is go to the firewall the Allow 8 0 port, and a packet filtering firewall can not log packet content verification, and therefore in this case the firewall is equivalent to dummy, not to hit the corresponding patch of the provided web services of the system, even if the firewall barrier, also would be attacker to easily win super user permissions.

Packet filtering firewall weaknesses and shortcomings, can be in the application layer solution. Below we’ll look at application-layer gateway.

2． The application gateway

1, The application proxy server, Application Gateway Proxy

In the network application layer to provide authorized inspection and proxy services. When outside a host attempts to access a protected network, you must first on the firewall after authentication. After the adoption of authentication, the firewall is running a special for the network design of the program, the external host and the internal host is connected. In this process, the firewall can restrict user access to the host, access time and access approach. Similarly, the protected network internal users to access external network when you first log in to the firewall, through the verification, it can be accessed.

The application gateway is the proxy of advantage is either hiding internal IP addresses, you can also give a single user license, even if the attacker steals a legitimate IP address, but also pass rigorous authentication. Therefore, the application gateway than a packet filter having a higher security. However, this authentication so that the application gateway opaque, each user connection will be subject to certification, which gives the user a lot of inconvenience. This proxy technology is required for each application written specifically for the program.

2, a circuit-level proxy server

That is the usual sense of the proxy server, it applies to more than one Protocol, but cannot interpret the application Protocol, the need by other means to obtain information, therefore, circuit-level proxy server usually requires modified user procedures.

Sockets Server Sockets Server is a circuit-level proxy server. Sockets(Sockets)is a network application layer of the international standards. When the protected network client with external network interaction information, in the firewall on the service Controller checks the customer’s User ID, IP source address and IP destination address, after confirmation, the service Controller only with an external server to establish a connection. For the user, a protected network and an external network of information exchange is transparent, and feel a firewall exists, it’s because network users do not need to log in to the firewall. But the client software must support the “Socketsified API”, protected network users to access the public network the IP address is the firewall IP address.

3, the Escrow Server

The Escrow server technology is the insecure services such as FTP, Telnet, etc. into the firewall, so that it simultaneously acts as a server, the external request to answer. With the application layer proxy to achieve compared to the Escrow Server technologies is not necessary for each service specially written program. Moreover, the protected network internal users want external Web Access when you first log on to the firewall, and then out requests, so that from the outside network to the inside will only see the firewall to hide the internal addresses, improves security.

4, the IP channel IP Tunnels）

If a large company of two subsidiary companies far apart, through Internet Communication. In this case, you can use IP Tunnels to prevent the on the Internet hackers to intercept information, thereby in the on the Internet form a virtual enterprise network.

5, a network address translator(NAT Network Address Translate)

When the protected network is connected to the Internet, protected network users to access the Internet, you must use a valid IP address. But because of the legitimate Internet IP addresses are limited, and protected network often has its own set of IP address planning of informal IP addresses. Network address translators in a firewall provided a legitimate IP address set. When inside a user wants to access the Internet, the firewall dynamically from the address of focus is selected an unassigned address is assigned to the user, the user can use the legal address for communication. Meanwhile, for the interior of some of the server such asWeb server, the network address of the Converter allows to assign a fixed legal address. The external network users through a firewall to access the internal server. This technology not only relieve a small amount of IP addresses and a lot of the host of the contradiction between, but also outside to hide the internal host’s IP address, improve the security.

6, the isolation domain name server to Split Domain Name Server

This technique is through the firewall of the protected network domain name server and the external network domain name server in isolation, so that the external network domain name server can only see the firewall’s IP address, unable to understand the protected network to the specific situation, so you can ensure a protected network, the IP address is not the external network is aware of.

7, the mail technology, Mail Forwarding）

When the firewall using the above-mentioned several kinds of technology so that the external network only knows firewall IP address and domain name, from the external network to the mail, it can only be sent to the firewall. Then the firewall for the mail to be checked only when sending the message the source host is allowed to pass through the firewall before the mail-destination address conversion, sent to the internal mail server, which forwards.

The application gateway is to check all the application layer packets, and check the contents of information into the decision-making process, so that security is improved. However, they are by breaking the client/server mode, every client/server communication requires two connections: one from client to firewall, and another from the firewall to the server. In addition, each proxy requires a different application process, or a background running service program, so if there is a new application you must add this application to the service program, otherwise you can not use this kind of service, the scalability is poor. Based on this working mechanism, and application gateway firewall has the following defects:

Connection limit: each service needs its own proxy, so can provide a number of services and the scalability is limited;

Technical limitations: the application gateway is not for UDP, RPC and Protocol family the other service providing Agent;

Performance: to achieve an application gateway firewall at the expense of some system performance.

Firewall architecture and composition of the form

1, the shield router Screening Router）

This firewall is the most basic member. It can be by manufacturer specializing in the production of routers, you can also use the host to achieve. Shield router as inside and outside connection the only channel, requires that all packets must be by check. On the router can be installed based on the IP layer packet filtering software, to achieve packet filtering function. Many of the router itself with the packet filter configuration options, but in General is relatively simple.

Simply by shield router configuration Firewall the danger with including the router itself and the router to allow access to the host. Its drawback is that once it is captured, after very difficult to find, and can not identify different users.

2, the dual-host gateway Dual Homed Gateway

Anyone with the plurality of interface cards of the system are referred to as multi-homed, dual-homed machine the gateway is a computer with two network cards of the host to do the firewall. Two network cards each connected to a protected network and an external network is connected. On the host running the firewall software can forward the application, provide services, etc.

The dual-host gateway better than the shield of the router local is: a Bastion host system software can be used to maintain system log, hardwareCopy logs, or remote logs. This is for the later check is useful. But that doesn’t help the network administrator to confirm the network in which the host may have been hacked.

The dual-host gateway, a deadly weakness: once the intruders to invade the Bastion host, and that it only has the routing function, any online users can just access within the network.

3, the shielding host gateway Screened Host Gateway

Shield the host gateway is easy to implement is also very safe, and therefore widely used. For example, a packet filtering router connected to the external network, while a Bastion host is installed on the internal network, usually the router on the establishment of filtering rules, and make this the Bastion host from external network only directly to the host, this ensures that the internal network from unauthorized external users of the attack.

If the protected network is a virtual extension of the local network, IE no subnet and the router, then the network changes do not affect the Bastion host and the shield router configuration. The danger with a limit on the Bastion host and the shield router. Gateway basic control strategy by the installation of the above software decision. If an attacker managed to login to it, within the network in the rest of the host will be under great threat. This with the dual-homed host gateway attack the case when the almost.

4, The screened subnet （Screened Subnet）

This method is the internal network and the external network is established between an isolated subnet, with two packet filtering routers this subnet, respectively, and internal and external networks separately. In many implementations, the two packet filtering router placed in the subnet at both ends, within the subnet constituted a“demilitarized zone”DMZ. Some of the screened subnet is also provided with a Bastion host as the sole point of access, support for interactive terminal or as an application gateway proxy. This configuration of the dangers with including only the Bastion host, subnet, host, and all connections within the network and outside the network and the screened subnet of the router.

If the attacker attempts to completely destroy the firewall, he must re-configure the connection of three network of the router, both do not cut off the connection and don’t lock yourself on the outside, but also not to make yourself be found, so it is still possible. But if the ban network access to the router or only allowed within the network of the certain host to access it, the attack will become very difficult. In this case, an attacker would have to first invade the Bastion host, then enter the network host, and then return to destroy the shield of the router, the whole process can not initiate an alert.

The construction of the firewall, it is generally rarely used single technology, is usually a variety of solutions to different technical problems thereof. This combination depends mainly on the Network Management Center to the user to provide the kind of service, as well as the Network Management Center is able to accept what level of risk. What kind of technology mainly depends on the funding, the investment size or the art of the technology, time and other factors. Generally have the following several forms:

1, The use of multiple Bastion host;

2, merge the interior router and the exterior router;

3, merging the Bastion host with an external router;

4, merge the Bastion host and the interior router;

5, The use of more than one internal router;

6, The use of more than one external router;

7, The use of a plurality of surrounding network;

8, The use of dual-homed host and screened subnet.

As people on the network security awareness, firewall applications more widely. Rich with advanced hardware firewall, no money with free software firewall. Then, the hardware firewall and software firewall comparison, what are the advantages?

A hardware firewall uses a dedicated hardware device, and then integrated manufacturer of a dedicated firewall software. From a functional point of view, the hardware firewall built-in security software, using an exclusive or strengthen theoperating system, the management convenient, easy to replace, the hardware and software with a fixed. Hardware firewall high efficiency, to solve the firewall efficiency, performance of the contradiction between, can achieve linear.

A software firewall is generally based on anoperating systemplatform development, directly on your computer the software installation and configuration. Since the client platform diversity, the software firewall needs to support multipleoperating system, such as Unix, Linux, SCO-Unix, Windows, etc., code huge, the high cost of installation, after-sale support high cost, low efficiency.

1, performance advantages. Firewall performance the firewall is essential. It determines the per second through the firewall for the data traffic. The unit is Bps, from several ten M to several hundred M range, there is a Gigabit firewall and even up to a few G firewall. While a software firewall it is impossible to achieve such a high rate.

2, the CPU occupancy rate of the advantage. Hardware firewall CPU occupancy rate is of course 0, and the software firewall is different, if you are in a cost savings of consider firewall software installed on the service host, when the data flow is large, the CPU usage will be the host of the killer, will be dragged across the host.

3, After-sale support. Hardware firewall manufacturers of firewall products has a tracking service support, and the software firewall, the user can give this opportunity to the relatively less, and manufacturers are not in the software firewall up and down too much effort and R & D funding.

The firewall penetration

More than our simple description of the firewall principle, classification, advantages and disadvantages, etc. In the following, we will for Firewall penetration technology to do a brief introduction.

A carefully configured firewall, while the vast majority of the crackers stopper on the perimeter, the master network control the initiative, however, the firewall is not a panacea, we also in the previous section of content in the simple speaking of a firewall disadvantages. No same as network products can be said to be absolutely safe. Green League of san an article describes the penetration of the firewall of the shellcode,interested friends can refer to: http://www.winnerinfo.net/infoview.asp?Kind=145&ID=5 a 2 9, I here want to mention the“channel technology.”

Say to the channel art, I want to again mention the“port reuse”, many of my friends thought that channel technology is the port multiplexing. Well, wrong, the port multiplexing refers to a Port to establish a plurality of connections, rather than in a port of the open top of the plurality of service without any interference. If you want to In have open the WWW service on the host, in 8 0 the port then adding a service, only 2 possibilities: 1. Add services fail 2. The WWW service error. So what is the channel? Here the so-called channel refers to a method to bypass the firewall port shield means of communication. The firewall at both ends of the data encapsulated in the firewall are allowed through the packet type or port, and then through the firewall and in behind the firewall of the host communication, when the encapsulated packet reaches the destination, then the packet is restored, and the restored packet is delivered to the corresponding service, in a port of the open top of the plurality of service without any interference.

In order to communicate, regardless of what firewall, are unlikely to put all the service, all the ports are closed. If you have that kind of firewall, might as well pull the network cable to the directly. most of the firewall more or less to open a port or service, such as HTTP, just open the port and services, it gives us penetration. HTTP is a relatively simple and commonly used in the interactive Protocol, you are sending to the server a request, the server will return to you a response. Almost all of the hosts are allowed to send HTTP requests. Network on the HTTP Protocol used is so broad that it also determines the we can by using the channel technology and easily through a firewall or other similar device and will we need to send the data to the target. A very typical example is http-tunnel.

In http-tunnel official website http://www. http-tunnel. com on there is so the phrase:“http-tunnel in the HTTP request to establish a bidirectional Virtual Data Connection. The HTTP request can be through a proxy is sent, which may be those at the limit of the port of the firewall behind the user. If by the HTTP proxy of WWW browsing is allowed, then the http-tunnel can be established, that is, can be in outside the firewall, telnet or PPP to the firewall inside.” So it seems that an attacker can use this technology to achieve remote control. We look at the http-tunnel design ideas:

A host in the firewall to the outside, without any restrictions. B. the host inside the firewall by the firewall protection, the firewall configuration of the access control principle is to only allow 8 0 port Data in and out, but the host to open the telnet service. Now suppose you want from A system, Telnet to B system up, what to do? Use the normal telnet is certainly not possible, because telnet uses 2 3-port firewall shield, firewall receives the telnet packet, found not only allowed 8 0 port of the data through the filtering principle, it is discarded. But we know available 8 0 port, then this time use Httptunnel channel, is a good way, the idea is as follows:

In A machine running on the tunnel client, so it listens for the machine A is not using any of the specified ports is preferably 1 0 2 4 6 5 5 3 5 The following, such as, 8 8 8 8 The. At the same time from the 8 8 8 8 port Data directed to the B machine 8 0 on the port, as is the 8 0 port, the firewall is allowed through. Then in the B machine on a server, in only 8 0 port opening to the outside of the case, only the first to get a WEBSHELL, think of ways to elevate their permissions and run the service end of the same attached to the 8 0 on the port, while the guide 8 0 port from the client is forwarded to this machine is the telnet service port 2 3, so it is OK. Now in A machine on telnet local port 8 8 8 8, according to just the settings data package will be forwarded to the target port is 8-0 in the B machine, because the firewall allows through 8 0 port of the data, so the data packets flow through the firewall, to reach the B machine. In this case B machine in 8 0 the port listener process is received from A data packet, the packet will be restored, and then return to the telnet process. When the data package required by B to A return, by 8 0 port and then sent back, the same can smoothly pass through the firewall.

The above function seems to use port mapping can also be done to put A host on 2 of the 3 ports redirected to the 8 0 the port, and then put B on the host 8 0 port redirection to 2 of the 3 ports on the line. But if the B-host has been turned on a WWW service? To use the above functions, use the port mapping must be sacrificed B host 8 0 port, which is worth the candle. Just imagine in a penetration of the firewall to a host of attacks, to put someone already on the WWW service is DOWN, you can also at this station on the host stay? However, the use of http-tunnel you can achieve the perfect, even if the B host has been open 8 0, provides the WWW, we would still be able to send telnet to its 8 0 port, enjoy the“genuine”the telnet service.

For channel technology, our solution is to use application layer packet inspection technology, because in the normal HTTP request, GET, POST, etc. behavior is essential, if from a connection of the HTTP request, not always GET, POST, then this connection is certainly a problem. To terminate the connection. Now have company IDS products can detect hidden in 8 0 in the tunnel,but these IDS the cost of the product I’m afraid also not small and medium businesses can afford.

For Firewall penetration, as well as some partyLaw, such as looking for the firewall itself, design flaws, etc., but those difficulty is too large. I’m afraid not we should consider.

Summary:

We also put the firewall and the firewall penetration and easy to review it again. Now we should more clearly know, the firewall is not a panacea, even if it is carefully configured firewall can also withstand hidden in the seemingly normal data under the channel program. Then, for a network to say, what should we do to be able to guarantee its maximum security?

1. According to need the appropriate configuration of the firewall, as little as possible to the beginning of the mouth.

2. The use of filtering to strict WEB App.

3. The use of encryption of the HTTP Protocol(HTTPS).

4. If conditions allow, the purchase of a more powerful the NIDS are.

5. Manage your network user, preventing the attacker and the network the user is connected directly to bypass the firewall.

6. Regularly upgrade your firewall product.