What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

More March 2000 Windows Digest...

Excel 97 Easter Egg

· In Excel, create a new worksheet.
· Press F5; in the resulting dialog box type "X97:L97" (without the quotes) and press Enter.
· Press the Tab key.
· Hold down Ctrl+Shift and click on the Chart Wizard toolbar button.
What you get at this point depends on whether or not you have Microsoft's DirectDraw video software installed. I don't, and simply got some animated credits. People with DirectDraw will instead enter a 3-D world in which you navigate with the mouse, using the left mouse button to move forward and the right mouse button to move backward.

Application Gateways and Stateful Inspection

(The following although not a complete republish is very heavily borrowed from a PDF I received from a vendor recently)

Nobody can disagree that the Internet Security industry has grown tremendously over the past few years. That growth has left many people empowered to recommend or purchase new firewalls and or gateways in a state of perpetual confusion. Check Point FW-1, Raptor, Guardian, Cisco PIX, with all the options how do you know which is best for you and your company? It boils down to packet filters and application gateways. Credits to the members of the Internet Firewalls mailing list who put together much of this information.

First lets look at the first generation firewall sometimes referred to as a Packet Filter. What is a packet filter??? Simply put a packet filter initiates a process that allows or denies the passage of traffic between networks based on the header information in each of the packets. A packet filter can take advantage of such header information to include Source address, Destination address, Port or Service and some other information is available for the device to use in establishing rule sets that will allow or deny the packets into a given network. A Cisco router could be configured using Access Control Lists to filter certain types of traffic. This process is often referred to as Static Packet Filtering.

There are some advantages of static packet filtering which include:

· Low Overhead / High Throughput
· Inexpensive or Free
· Easy to manage network traffic

Some of the disadvantages in using static packet filtering are:

· Allows a direct connection to internal hosts by external clients
· Permanently leaves holes open in your network perimeter
· Quickly becomes unmanageable when used in complex environments
· Remains vulnerable to attacks such as "spoofing" source addresses, unless specifically configured to prevent such action
· Offers no user authentication (Unless coupled with a Radius or Tacan + server)

Note: It has been several years sense I have seen an Enterprise take advantage of static packet filtering.

To address many of the disadvantages associated with using static packet filtering, techniques to introduce dynamic packet filtering were developed. Dynamic packet filters unlike static packet filters open and close doors in the firewall based on header information in the data packet as described above. Once a series of packets has passed through this "door" to its destination, the firewall than closes the door. Stateful packet filtering is an enhancement to dynamic packet filtering. Stateful packet filtering makes sense out of higher-level protocols and adapts filtering rules to accommodate the needs of the specific protocol. (e.g., simulated connections for connectionless protocols such as NFS and RPC services). The stateful packet filter will keep track of state and context information about a session often arping much of the information to an ARP table for future reference. Check Point FW-1 is an example of a stateful packet filter AKA Stateful Inspection. In Check Point's implementation of stateful packet filtering the inspection module sits between the data link layer and the network layer of the OSI model. (For more information on the OSI model read "TCP / IP Blueprints"). The addition of tracking a packets "state" may increase the security of the basic filter, but it does not address the content of implications of the traffic being handled.

To make a point here take the following example under consideration. You've configured your Check Point Firewall with Network Address Translation mapping the external routable IP address of (207.51.13.82) to the DMZ address or internal network address of (192.168100.253). In this example 192.168.100.253 is a IIS 4.0 Web Server running under Windows NT 4.0 SP6. You've restricted allowable packet traffic to only port 80, this is your web server, serving content to the WWW and having no use of SSL or port 443. An attacker uses a buffer overflow that makes its way to the target on port 80. Take for example the overflow constructed by EEYE a full disclosure security team (http://www.eeye.com). So the attacker sends his payload to the webserver on port 80. The same port that his browser would initiate a HTTP GET request to. The traffic containing the malicious pay load reaches the Check Point Firewall where checkpoint applies its rule set and notices the port the packet is heading to is port 80 and the destination is 207.51.13.82. Checkpoint would route that packet to our web server at 192.158.100.253. The web server would receive the network traffic containing the overflow and instruction to download and execute the Trojan of our choice. Valla the IIS server crashes and on its way down downloads our Trojan Horse. When the Web Services are stopped and restarted or the server is rebooted by an admin our Trojan is deployed. We now have our foot hold into the targets network. Their nice fancy Check Point Firewall did nothing to stop our attack.

Some advantages of using a dynamic packet filter are:

· Only temporarily opens holes in the Network Perimeter
· Low Overhead / High Throughput
· Supports almost any service (e.g., back-channel services (life FTP) have to be handled as a special case)
· Very easy to establish rule sets (low number of rule sets are typically needed)
· Easy to manage

With the amount of time a hole in the perimeter is left open greatly reduced, many of the attacks that worked against static packet filters are more difficult and in some cases impossible to use against a dynamic packet filter. Being as there is very little work done outside of routing traffic the system overhead is very very low. Similar hardware platforms will often produce much much higher throughput when using dynamic packet filtering as compare to using an application gateway.

Disadvantages include:

· Allows direct IP connections to internal hosts by external clients
· Offers no user authentication (without the use of OPSEC plugins)
· Can support any IP service (can't differentiate between a telnet connection to port 80 and a http get request)

Dynamic packet filters do well in reducing the amount of exposure. External systems while adhering to the rule base of the dynamic packet filter are still able to make an IP connection with an internal machine (IF Network Address Translation is enabled). (Note: It's good to use Network Address Translation, assign non routable internal network IP addresses to your workstations and servers on the LAN. This prevents external hosts from attacking your internal network unless of course they take over your dynamic packet filter J .) Although spoofing is a well known vulnerability for Internet sties most modern dynamic packet filters include fixes to most known methods of spoofing. The problem still remains in the trust that is placed in an external system based almost solely on its IP address. Do to the frequent lack of user authentication even if the incoming connection is from an approved host there is no check that the machine is being operated by an authorized owner. In other words, if a cracker has compromised the external host it can be used as a gateway to your internal network.

Next we have Application Gateways. An application gateway is a firewall system in which service is provided based on processes that maintain complete TCP connection state information and sequencing. Application gateways are also capable of performing Network Address Translation and IP masking. When IP masking is used any outgoing traffic from the internal network is rewritten at the application gateway and sent out onto the Internet with a Source address equal to that of the external interface of the gateway. (Note: Check Point supports this functionality!) Depending on who you ask its generally thought by many security experts that application based firewalls provide the most security. All connections to any internal host are proxied through the firewall. An application level firewall is distinguished by the use of security proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.

Some advantages of application gateways are:

· Do not allow any direct connections between internal and external hosts
· Support user-level authentication
· Analyze application commands inside the payload portion of data packets (An application gateway had a strong chance of catching the malicious content we sent to the WWW server in the earlier example)
· Keep comprehensive logs of traffic and specific activities (Check Point does have some nice logging abilities)

Do to the fact that application gateways essentially proxy everything, no direct connection is allowed through the firewall in any circumstance. As an example, if you wanted to establish a FTP connection to a FTP server on the targeted network and that network was using an application gateway configured to allow FTP sessions to the FTP server than you would maintain a connection with the application gateway which would actually be the machine making the connection to the FTP server and than relaying the data back to you. An application gateway will inspect a packet and its payload before passing it along to an internal host, if the payload is likely to do the recipient harm it will be discarded. Using our attack against the IIS server earlier, the following would likely have taken place had an application gateway been installed. The buffer overflow destined to the IIS server would have been sent to the application gateway. The application gateway would have inspected the packet and seen that it was headed to the WWW server, it would check the source address and destination address along with port against its rule set to see if the packet could be routed through. (Much like a dynamic packet filter up to this point). However, the application gateway would than carry the packets being sent to the WWW server further up the OSI model to the application layer where it would have noticed that this was not a HTTP Get Request at all. Sense it is only configured to route WWW requests it would have discarded the malicious traffic and our attacker doesn't get his foothold through this method.

Some disadvantages to application gateways are that they:

· Are substantially slower than packet filters and as such require more overhead
· Require the internal client to know about them
· Do NOT support every possible type of connection (Certain services may not work!)

Application gateways are ALWAYS slower than their stateful inspection counterpart. This is do to the fact that the application gateway has to manually inspect the incoming traffic, routing it all the way up the OSI model performing a number of checks. Fortunately with the speeds of today's servers this overhead can typically be handled without much problem. The problem with not all services being supported can be explained as following. Say for instance that there is this new application on the Internet called "UberApplication". Internal users want to use this new UberApllication and the business approves the use of the new UberApplication. The application gateway approach will not let the traffic through the firewall until it knows exactly how the application works and what can be done to keep it from damaging the internal network. If there is no "snap-in" available for the application gateway than the traffic cannot be allowed through. Most vendors producing application gateways provide tools to create "generic proxies". Vendors can often be measured on how quickly they can produce the "snap-ins" for the latest applications on the Internet. It should be noted that many application gateways such as those produced by Axent Technologies (product is called Raptor) could be configured to function as a Stateful inspection based packet filter. So with the purchase of such a product as Raptor you can configure it to function either as a dynamic packet filter or as an application gateway.

So we are left with a few observations. Stateful packet filters are faster than application gateways. This is common sense do to the fact that inherently they do less work, less security processing. Stateful packet filters are less granular than application gateways; they do not do any verification of the protocol. An application gateway will look more closely at the data. To quote Bill Stout a security expert who posts to the firewall mailing list, "The purpose of a security device is to protect a network, not to be fast. Fast is what airline travelers want when passing through airport security, secure is what they want when they are tumbling through the air after their plane blows up."

Recommendation??? Well Stateful packet filters are adequate for low risk Intranets, or in situations where raw throughput has priority over security. Application gateways should be the technology of choice for organizations that have extremely high security requirements.

More Happy Hacker Windows Digest, March 2000--->>

 © 2013 Happy Hacker All rights reserved.