Search This Blog

Saturday, January 09, 2010

firewall-wizards Digest, Vol 45, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Hacker pierces hardware firewalls with web page. (R. DuFresne)
2. Re: Duplicate Public IP Addresses? (Mark)
3. Re: Use of single port aggregations to enhance security
(Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 8 Jan 2010 13:34:06 -0500 (EST)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.1001081329280.17277@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In reading this, I get the impression this is not a fault in the firewalls
themselves, but more an issue with the configuration of firewalls having
been 'tested' by this hacker. Am I wrong in reading this news in that
fashion?::


January 6, The Register - (International) Hacker pierces hardware
firewalls with web page. On January 5, a hacker demonstrated a way to
identify a browser's geographical location by exploiting weaknesses in many WiFi
routers. Now, the same hacker is back with a simple method to penetrate
hardware firewalls using little more than some javascript embedded in a
webpage. By luring victims to a malicious link, the attacker can access
virtually any service on their machine, even when it's behind certain
routers that automatically block it to the outside world. The method has
been tested on a Belkin N1 Vision Wireless router, and the hacker says he
suspects other devices are also vulnerable. "What this means is I can
penetrate their firewall/router and connect to the port that I specified,
even though the firewall should never forward that port," the hacker told
the Register. "This defeats that security by visiting a simple web page.
No authentication, XSS, user input, etc. is required." The hacker's
proof-ofconcept page forces the visitor to submit a hidden form on port
6667, the standard port for internet relay chat. Using a hidden value,
the form surreptitiously coerces the victim to establish a DCC, or direct
client-to-client, connection. Vulnerable routers will then automatically
forward DCC traffic to the victim's internal system, and using what's
known as NAT traversal an attacker can access any port that's open on the
local system. For the hack to work, the visitor must have an application
such as file transfer protocol or session initiation protocol running on
his machine. The hack does not guarantee an attacker will be able to
compromise that service, but it does give the attacker the ability to
probe it in the hope of finding a weak password or a vulnerability that
will expose data or system resources. Source:
http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/


Thanks,


Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
uZciRDQsRu1kZZQUZctPwmY=
=KCsu
-----END PGP SIGNATURE-----


------------------------------

Message: 2
Date: Fri, 8 Jan 2010 17:49:17 -0500
From: "Mark" <firewalladmin@bellsouth.net>
Subject: Re: [fw-wiz] Duplicate Public IP Addresses?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000601ca90b4$cfb59f60$090aa8c0@357magnum>
Content-Type: text/plain; charset="us-ascii"

The only thing I would add too what Paul said is that the hosts on the same
network (the private network that was incorrectly using the example 80.x.x.x
range) would end up using server B, as "local" traffic would not be routed
to it's default gateway.

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of arvind
doraiswamy
Sent: Friday, January 01, 2010 10:11 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Duplicate Public IP Addresses?

Hey Guys,
Maybe this is a bit of a basic question but I thought I'd ask here all
the same. Please let me know if this is too Non Firewall to be posted
:)

Over the years a lot of clients have used Public IP addresses on an
Internal network. So there's whole internal ranges with 80.x.x.x . Now
almost all of those systems do not have publicly reachable services at
all. Lets also assume that there is some website somewhere which has
the 80.x.x.x IP address assigned to it and people DO visit it and use
its "services". All ok so far.

What though if the internal network suddenly decided to make one of
his systems a web server , put a site onto it and pushed it on to the
Internet with the same 80.x.x.x address that was assigned to the
server when it was part of the Internal Network? Effectively it means
that now.. 2 servers ; the original web server (A) and the new web
server (B) both have an IP of 80.x.x.x (SAME).

Now I haven't done this practically and checked what will happen , but
I have a few questions in mind.

a) What happens to all the traffic going to A? Does it still go there
or do clients of A get redirected to B?
b) What about B wrt Question a) ?
c) What about DNS servers everywhere? What IP addresses will they
cache and how will they ensure that people are "routed" correctly?
d) Isn't this a very easy DOS condition? Anyone just changes IP ,
registers with their own DNS and sits back and waits?

Am I missing something? It just seems to easy to do..so I thought I'd
post here and get educated :)

Thnx
Arvind
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 3
Date: Fri, 8 Jan 2010 16:19:11 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Use of single port aggregations to enhance
security
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>, "'Firewall Wizards Security
Mailing List'" <firewall-wizards@listserv.cybertrust.com>
Message-ID: <006b01ca90a8$3985b590$ac9120b0$@com>
Content-Type: text/plain; charset="us-ascii"

> If you're using an operating system based firewall (Linux, BSD, Solaris),
then
> depending on the order of the operating system enabling firewalls
capabilities vs
> networking, there may be windows where packets are able to reach code
paths that they
> weren't intended for because nic drivers start servicing packets quite
early. However, > nearly all of the above operating systems implement LACP
in software. This means that > there's a "knob" that can be used on the
firewall host to control whether or not the
> switch sends stuff to the firewall, potentially allowing you to close that
window (if > it exists.) This might cause problems if you're doing some sort
of out-of-band remote > console over that port O:->

Hi Darren,

Using LACP is an interesting solution to a problem that, in most cases,
already has a simple solution, which is to not enable IP forwarding on your
firewall until rules are loaded. Using OpenBSD and pf as an example, you
would set net.inet.ip.forwarding=0 in sysctl.conf, and then in rc.local run,
in order, the scripts that call pfctl, ifconfig, and then finally sysctl
net.inet.ip.forwarding=1 to begin forwarding packets.


> I admit that caring about this might require a special level of paranoia
:)

"The issue is not whether you are paranoid, it's whether you are paranoid
enough."

PaulM

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 2
***********************************************

No comments: