Protecting Against Common Firewall Attacks

According to McClure, Scambray, and Kurtz (2005), firewall discovery comprises a routine of port scanning and banner grabbing to determine the specific type of firewall and the possible vulnerabilities. Two types of firewall attacks may be launched by the hacker. The first type includes attacks against the firewall itself for the purpose of taking control of the firewall’s functionality or launching a Denial of Service (DOS) attack. The second type of firewall attack includes attacks on the inside or Local Area Network (LAN) side of the firewall.

Attacks against firewalls aimed toward the inside or LAN side of firewalls attempt to circumvent the firewall’s rules or policy to gain access to the protected devices. One useful discovery tool that hackers use to find those inside targets is firewalking.

Firewalking is a technique that uses traceroute-like tools to probe firewalls and screening routers for ports, services, and protocols that are used by the target network. Firewalking can also be used to map hosts behind the firewalls and packet filtering devices” (Peake, 2003, p. 12).

Firewalking methods are not aimed at the target hosts themselves but rather at the firewall that protects them. The method is based on the Time to Live (TTL) property of TCP/IP packets directed at the virtual host located one hop beyond the firewall. The theory states, according to Goldsmith and Schiffman (1998), that a firewall will drop packet directed at a port that the firewall blocks but forward those packets directed toward open ports. The firewalk tool can then assume that all responses forwarded back from the firewall that contain the ICMP message TTL expired are responses to probe packets directed at open ports on the firewall. The hacker can then craft more specific port scans directed at the network using those open ports.

The best way to defend against firewalking a stated by McClure et al. (2005), is block TTL expired messages from passing from the inside interface of the firewall to the outside interface. This act may have detrimental consequences, however, because legitimate traffic will be blocked. A better method nay be to null route packets that arrive on the outside interface with a TTL less than or equal to 1 but I do not know if today’s firewalls permit such granular testing of packets.

What do you think?

Your comments are always welcome.

Goldsmith, D., Schiffman, M. (1998). Firewalking: A traceroute-like analysis of IP packet responses to determine gateway accesscontrol lists.

McClure, S., Scambray, J., and Kurtz, G. (2005). Chapter 9: Firewalls. HackingExposed Network Security Secrets & Solutions (5th Ed.). Emeryville, CA: Mcgraw-Hill / Osborne.

Peake, C. (2003). Red teaming: The art of ethical hacking. GIAC Security Essentials

Certification (GSEC) SANS Practical assignment Version 1.4b – Option 1. Retrieved May 7, 2008 from https://www2.sans.org/reading_room/whitepapers/auditing/1272.php.