Firewall

Chng IV : Cc kiu tn cng vo Firewall v cc bin php phng chng
Sut t khi Cheswick v Bellovin vit cun anh hng ca v cch xy dng cc bc tng la v theo di mt hc c qu quyt tn Berferd, tng thit t mt h phc v web trn Internet m khng trin khai mt bc tng la c xem l t st. Cng bng nh t st nu quyt nh ph mc cc nhim v v bc tng la vo tay cc k s mng. Tuy gii ny c th tm hiu cc quan h mt thit v k thut ca mt bc tng la, song li khng ha chung nhp th vi h bo mt v tm hiu no trng cng nh cc k thut ca cc tay hc c qu quyt. Kt qu l, cc bc tng la c th b chc thng do cu hnh sai, cho php bn tn cng nhy b vo mng v gy ra i ha. I. Phong cnh bc tng la Hai kiu bc tng la ang thng lnh th trng hn nay: h gim qun ng dng (application proxies) v cc ng thng lc gi tin (packet filtering gateway). Tuy cc h gim qun ng dng c xem l an ninh hn cc ng thng lc gi tin, song bn cht hn hp v cc hn ch kh nng vn hnh
http://www.llion.net
ca chng gii hn chng vo lung lu thng i ra cng ty thay v lung lu thng i vo h phc v web ca cng ty. Trong khi , ta c th gp cc ng thng loc gi tin, hoc cc ng thng lc gi tin hu trng (stateful) phc hp hn, mt khc, trong nhiu t chc ln c cc yu cu kh nng vn hnh cao. Nhiu ngi tin rng hin cha xut hin bcc tng la hon ho, nhng tng lai y sn ln. Mt s hng kinh doanh nh Network Associates Inc. (NAI), AXENT, Internet Dynamics, v Microsoft pht trin cng ngh cung cp tnh nng bo mt ca cng ngh gim qun vi kh nng vn hnh ca cng ngh lc gi tin (mt dng lai ghp gia hai cng ngh). Nhng chng vn cha gi dn. Sut t khi bc tng la u tin c ci t, cc bc tng la bo v v s mng trnh c nhng cp mt t m v bn ph hoi nhng cn lu chng mi tr thnh phng thuc tr bch bnh bo mt. Cc ch yu bo mt u c pht hin hng nm vi hu nh mi kiu bc tng la trn th trng. T hi hn, hu ht cc bc tng la thng b cu hnh sai, khng bo tr, v khng gim st, bin chng tr thnh mt vt cn ca in t (gi cho cc ng thng lun rng m). Nn khng phm sai lm, mt bc tng la c thit k, cu hnh, v bo tr k lng hu nh kh ng th t nhp. Thc t, hu ht cc k tn cng c tay ngh cao u bit iu ny v s n gin trnh vng qua bc tng la bng cch khai thc cc tuyn quan h y qun (trust relationships) v cc ch yu bo mt ni kt lng lo nht, hoc trnh n hon ton bng cch tn cng qna mt ti khon
quay s. im cn bn: hu ht bn tn cng dn mi n lc vng qua mt bc tng la mnh - mc tiu y l to mt bc tng la mnh. Vi t cch l iu hnh vin bc tng la, ta bit r tm quan trng ca vic tm hiu k ch. Nm c cc bc u tin m mt bn tn cng thc hin b qua cc bc tng la s gip bn rt nhiu trong vic pht hin v phn ng li mt cuc tn cng. Chng ny s hng dn bn qua cc k thut thng dng hin nay pht hin v im danh cc bc tng la, ng thi m t vi cch m bn tn cng gng b qua chng. Vi tng k thut, ta s tm hiu cch pht hin v ngn chn cc cuc tn cng.
II. nh danh cc bc tng la Hu ht mi bc tng la u mang mt "mi hng" in t duy nht. Ngha l, vi mt tin trnh qut cng, lp cu la, v nm gi biu ng n gin, bn tn cng c th hiu qu xc nh kiu, phin bn, v cc quy tc ca hu ht mi bc tng la trn mng. Ti sao vic nh danh ny li quan trng? Bi v mt khi nh x c cc bc tng la, chng c th bt u tm hu cc im yu v gng khai thc chng.
1. Qut trc tip : K thut Noisy Cch d nht tm kim cc bc tng la l qut cc cng ngm nh c th. Mt s bc tng la trn th trng s t nh danh duy nht bng cc t qut cng n gin bn ch cn bit ni dung tm kim. V d, Firewall-1 ca Check point lng ch trn cc cng TCP 256, 257, 258, v Proxy Server ca Microsoft thng lng ch trn cc cng TCP 1080 v 1745. Vi s hiu bit ny, qu trnh tm kim cc kiu bc tng la ny chng c g kh vi mt b qut cng nh nmap:
nmap -n -vv -P0 -p256,1080,1745 192.168.50.1 - 60.254
Dng kha chuyn -PO v hiu ha tnh nng ping ICMP trc khi qut. iu ny quan trng bi hu ht bc tng la khng p ng cc yu cu di ICMP. C bn tn cng nht nht ln hung bo u tin hnh qut rng ri mng ca bn theo cch ny, tm kim cc bc tng la ny v tm kim mi khe h trong kt st vnh ai ca bn. Nhng bn tn cng nguy him hn s lng sc vnh ai ca bn cng ln lt cng tt. C nhiu k thut m bn tn cng c th s dng h sp radar ca bn, bao gm ngu nhin ha cc ping, cc cng ch, cc a ch ch, v cc cng ngun; dng cc h ch c mi; v thc hin cc t qut ngun c phn phi. Nu cho rng h thng pht hin xm nhp (IDS) ca bn nh RealSecure ca Internet Security Systems
hoc SessionWall-3 ca Abirnet s pht hin bn tn cng nguy him ny, bn nn suy ngh li. Hu ht cc IDS u ngm nh cu hnh ch nghe cc t qut cng ngu n v n o nht. Tr phi bn s dng IDS nhanh nhy v tinh chnh cc k danh pht hin, hu ht cc cuc tn cng s hon ton lm ng. Bn c th to mt t qut ngu nhin ha nh vy bng cch dng cc k m Perl cung cp trn chuyn khu web www.osborne.com/ <http://www.osborne.com/> hacking . Cc bin php phng chng Bn cn phong ta cc kiu qut ny ti cc b nh tuyn bin hoc dng mt kiu cng c pht hin t nhp no min ph hoc thng mi. Mc d th, cc t qut cng n l s khng c thu nht theo ngm nh trong hu ht cc IDS do bn phi tinh chnh nhy cm ca n trc khi c th da vo tnh nng pht hin. Pht Hin chnh xc pht hin cc t qut cng bng tnh nng ngu nhin ha v cc h ch c mi, bn cn tinh chnh tng l danh pht hin qut cng. Tham kho ti liu hng dn s dng ca hng kinh doanh IDS bit thm chi tit. Nu mun dng RealSecure 3.0 pht hin tin trnh qut trn y, bn t phi nng cao nhy cm ca n theo cc t qut cng n l bng cch sa i cc tham s ca k danh qut cng. Bn nn thay i cc ni dung di y to nhy cm cho qut ny:
1. La v ty bin (Customize) Network Engine Policy. 2. Tm "Port Scan" v la ty chn Options. 3. Thay i ports thnh 5 cng. 4. Thay i Delta thnh 60 giy. Nu ang dng Firewall-l vi UNIX, bn c th dng trnh tin ch ca Lance Spitzner pht hin cc t qut cng Firewall-1 www.enteract.com/~lspitz/intrusion.html <http://www.enteract.com/ ~lspitz/intrusion.html>. K m alert.sh ca ng s cu hnh Check point pht hin v gim st cc t qut cng v chy mt User Defined Alert khi c ng tc.
Phng Chng ngn cn cc t qut cng bc tng la t Internet, bn cn phong ta cc cng ny trn cc b nh tuyn ng trc cc bc tng la. Nu cc thit b ny do ISP qun l, bn cn lin h vi h tin hnh phong ta. Nu t bn qun l chng, bn c th dng cc Cisco ACL d y phong ta r rt cc t qut nu trn y:
access - list 101 deny tcp any any eq 256 log ! Block Firewall-l scans access - list 101 deny tcp any any eq 257 log ! Block Firewall-l scans access - list 101 deny tcp any any eq 258 log ! Block Firewall-l scans access - list 101 deny tcp any any eq 1080 log ! Block Socks scans access - list 101 deny tcp any any eq 1745 log ! Block Winsock scans
Ghi ch : Nu phong ta cc cng ca Check Point (256-258) ti cc b dnh tuyn bin, bn s khng th qun la bc tng la t lnternet. Ngoi ra, tt c cc b nh tuyn phi c mt quy tc dn dp (nu khng khc t cc gi tn theo ngm nh), s c cng hiu ng nh khi ch nh cc tc v khc t: access - list 101 deny ip any any log ! Deny and log any packet that got through our ACLs above 2. R Tuyn ng
Mt cch thinh lng v tinh t hn tm cc bc tng la trn mt mng l dng traceroute . Bn c th dng traceroute ca UNIX hoc tracert.exe ca NT tm tng chng dc trn trn ng truyn n ch v tin hnh suy din. Traceroute ca Linux c ty chn -I, thc hin r ng bng cch gi cc gi tin ICMP, tri vi k thut gi tin UDP ngm nh.
[ sm@atsunami sm] $ traceroute - I www.yourcompany.com traceroute to www.yourcompany.com ( 172.17.100.2 ) , 30 hops max, 140 byte packets 1 attack-gw ( 192.168.50.21) 5.801 ms 5.105 ms 5.445 ms 2 gw1.smallisp.net ( 192.168.51.l) 3 gw2.smallisp.net ( 192.168.52.2) ..... 13 hssi.bigisp.net ( 10.55.201.2 ) 14 seriall.bigisp.net ( 10.55.202.l) 15 www.yourcompany.com ( 172.29.11.2)
C c may chng ng ngay trc ch ( 10.55.202.1) l bc tng la, nhng ta cha bit chc. Cn phi o su thm mt cht. V d trn y l tuyt vi nu cc b nh tuyn gia bn v cc h phc v ch p ng cc gi tin c TTL ht hn. Nhng mt s b nh tuyn v bc tng la c xc lp khng tr v cc gi tin ICMP c TTL ht hn (t cc
gi tin ICMP ln UDP). Trong trng hp ny, s suy din t khoa hc hn. Tt c nhng g bn c th thc hin l chy traceroute v xem chng no p ng cui cng, v suy ra y l mt bc tng la hoc ch t l b nh tuyn u tin trong ng truyn bt u phong ta tnh nng tracerouting. V d, y ICMP ang b phong ta n ch ca n, v khng c p ng no t cc b nh tuyn vt qu client - gw.smallisp.net :
1 stoneface (192.168.10.33) 12.640 ms 8.367 ms 2 gw1.localisp.net (172.31.10.1) 214.582 ms 197.992 ms 3 gw2.localisp.net (172.31.10.2) 206.627 ms 38.931 ms 4 dsl.localisp.net (172.31.12.254) 47.167 ms 52.640 ms ........ 14 ATM6.LAX2.BIGISP.NET (10.50.2.1) 250.030 ms 391.716 ms 15 ATM7.SDG.BIGISP.NET (10.50.2.5) 234.668 ms 384.525 ms 16 client-gw.smallisp.net (10.50.3.250) 244.065 ms ! X * * 17 * * * 18 * * *
Cc Bin Php Phng Chng Vic chnh sa s r r thng tin traceroute l hn ch ti a cc bc tng la v b nh tuyn p ng cc gi tin c TTL ht hn. Tuy nhin, iu ny khng phi lc no cng nm di s kim sot ca bn v nhiu b nh tuyn
c th nm di s iu khin ca ISP.
Pht Hin pht hin cc traceroute chun trn bin, bn cn gim st cc gi tin UDP v ICMP c gi tr TTL l 1. thc hin iu ny vi RealSecure 3.0, bn bo m nh du TRACE_ROUTE decode name trong Security Events ca Network Engine Policy.
Phng chng ngn cn cc traceroute chy trn bin, bn c th cu hnh cc b nh tuyn khng p ng cc th ng ip TTL EXPIRED khi n nhn mt gi tin c TTL l 0 hoc 1. ACL di y s lm vic vi cc b nh tuyn Cisco: access - list 101 deny ip any any 11 0 ! ttl-exceeded Hoc theo l tng, bn nn phong ta ton b lung lu thng UDP khng cn thit ti cc b nh tuyn bin.
3. Nm Gi Biu Ng
10
K thut qut tm cc cng bc tng la l hu ch trong vic nh v cc bc tng la, nhng hu ht cc bc tng la khng lng ch trn cc cng ngm nh nh Check point v Microsoft, do vic pht hin phi c suy din. Nhiu bc tng la ph dng s cng b s hin din ca chng bng cch n gin ni vi chng. V d , nhiu bc tng la gim qun s cng b chc nng ca chng vi t cch mt bc tng la, v mt s s qung co kiu v phin bn ca chng. V d, khi ta ni vi mt my c tin l mt bc tng la bng netcat trn cng 21 (FTP ), ta s thy mt s thng tin th v :
C:\TEMP>nc -v -n 192.168.51.129 2 l [UNKNOWN] [ 192.168.5l.129 ] 2 l ( ? ) open 220 Secure Gateway FTP server ready .
Biu ng "Secure Gateway server FTP ready" l mt du hiu l ty ca mt hp Eagle Raptor c. Vic ni thm vi cng 23 (telnet) s xc nhn tn bc tng la l "Eagle."
C:\TEMP>nc -v -n 192.168.51.129 23 [UNKNOWN] [ 192.168.5l.129 ] 23 ( ? ) open Eagle Secure Gateway . Hostname :
V cui cng. nu vn cha b thuyt phc h ch ca bn l mt bc tng la. bn c th netcat vi cng 25 ( SMTP ), v n s bo cho ban bit n l g: C:\TEMP>nc -v -n 192.168.51.129 25
11
[UNKNOWN] [ 192.168.5l.129 ] 25 ( ? ) open 421 fw3.acme.com Sorry, the firewall does not provide mail service to you. Nh thy trong cc v d trn y, thng tin biu ng c th cung cp cc thng tin qu gi cho bn tn cng trong khi nh danh cc bc tng la. Dng thng tin ny, chng c th khai thc cc ch yu ph bin hoc cc cu hnh sai chung.
Bin Php Phng Chng chnh sa ch yu r r thng tin ny, bn gii hn thng tin biu ng qung co. Mt biuu ng tt c th km theo mt mc cnh gic mang tnh php l v tt c mi n lc giao kt s c ghi s. Cc chi tit thay i c th ca cc biu ng ngm nh s ty thuc nhiu vo bc tng la c th, do bn cn lin h hng kinh doanh bc tng la.
Phng Chng ngn cn bn tn cng ginh c qu nhiu thng tin v cc bc tng la t cc biu ng qung co, bn c th thay i cc tp tin cu hnh biu ng. Cc khuyn ngh c th thng ty thuc vo h ng kinh doanh bc tng la.
12
Trn cc bc tng la Eagle Raptor, bn c th thay i cc biu ng ftp v telnet bng cch sa i cc tp tin thng bo trong ngy: tp tin ftp.motd v telnet.motd.
4. K Thut Pht Hin Bc Tng La Cao Cp Nu tin trnh qut cng tm cc bc tng la trc tip, d theo ng truyn, v nm gi biu ng kh ng mang li hiu qu, bn tn cng s p dng k thut im danh bc tng la theo cp k tip. C th suy din cc bc tng la v cc quy tc ACL ca chng bng cch d tm cc ch v lu cc l trnh phi theo (hoc khng theo) n . Suy Din n Gin vi nmap Nmap l mt cng c tuyt vi pht hin thng tin bc tng la v chng ti lin tc dng n. Khi nmap qut mt h ch, n khng ch bo cho bn bit cc cng no ang m hoc ng, m cn cho bit cc cng no ang b phong ta. Lng (hoc thiu) thng tin nhn c t mt t qut cng c th cho bit kh nhiu v cu hnh ca bc tng la. Mt cng lc trong nmap biu hin cho mt trong ba ni dung sau: Khng nhn gi tin SYN/ACK no.
13
Khng nhn gi tin RST/ACK no. nhn mt thng bo ICMP type 3 (Destination Unreachable ) c mt m 13 ( Communication Administratively Prohibited - [RFC1812]). Nmap gom chung c ba iu kin ny v bo co n di dng mt cng " lc." V d, khi qut
www.mycompany.com <http://www.mycompany.com>, ta nhn hai gi tin ICMP cho bit bc tng la phong ta cc cng 23 v 111 t h thng c th ca chng ta.
[ root@bldg_043 /opt ] # nmap -p20, 21, 23, 53, 80, 111 - P0 -vv www.mycompany.com Starting nmap V. 2.08 by Fyodor ( fyodor@dhp.com <mailto:fyodor@dhp.com>, www.insecure.org/nmap/ ) Initiating TCP connect ( ) scan agains t ( 172.32.12.4 ) Adding TCP port 53 (state Open) Adding TCP port 111 ( state Firewalled ) Adding TCP port 80 ( state Open) Adding TCP port 23 ( state Firewalled) . Interesting ports on ( 172.17.12.4 ) : port 23
State filtered
Protocol tcp
Service telnet
14
53 80 111
open open filtered
tcp tcp tcp
domain http sunrpc
Trng thi "Firewalled", trong kt xut trn y, l kt qu ca vic nhn mt ICMP type 3, m 13 (Admin Prohibited Filter), nh gp trong kt xut tcpdump:
23 : 14 : 01.229743 10.55.2.1 > 172.29.11.207 : icmp : host 172.32.12.4 nreachable - admin prohibited filter 23 : 14 : 01.97 9743 10.55.2.l > 172.29.11.207 : icmp : host 172.32.12.4 nreachable - admin prohibited filter
Lm sao nmap kt hp cc gi tin ny vi cc gi tin ban u, nht l khi chng ch l mt vi trong bin c cc gi tin ang ru rt trn mng? Vng, gi tin ICMP c gi tr li cho my qut s cha ng tt c cc d liu cn thit tm hiu ni dung ang xy ra. Cng ang b phong ta l phn mt byte trong phn u ICMP ti byte 0x41 ( 1 byte), v bc tng la lc gi thng ip s nm trong phn IP ca gi tin ti byte 0x1b (4 byte). Cui cng, mt cng cha lc nmap ch xut hin khi bn qut mt s cng v nhn tr li mt gi tin RST/ACK. Trong trng thi "unfiltered", t qut ca chng ta hoc ang i qua bc tng la v h ch ca chng ta ang bo cho bit n khng lng ch trn cng , hoc bc tng la ang p ng
15
ch v nh la a ch IP ca n vi c RST/ACK c n nh. V d, t qut mt h thng cc b cho ta hai cng cha lc khi n nhn hai gi tin RST/ACK t cng h ch. S kin ny cng c th xy ra vi mt s bc tng la nh Check point (vi quy tc REJECT) khi n p ng ch ang gi tr mt gi tin RST/ACK v nh la a ch IP ngun ca ch. .
[ root@bldg_043 sniffers ] # nmap - sS -p1 -300 172.18.20.55 Starting nmap V . 2.08 by Fyodor ( fyodor@dhp.com <mailto:fyodor@dhp.com>, www.insecure.org/nmap/ ) Interesting ports on ( 172.18.20.55 ) : (Not showing ports in state : filtered) Port 7 53 256 257 258 State unfiltered unfilteres open open open Protocol tcp tcp tcp tcp tcp Service echo domain rap set yak-chat
Nmap run completed - 1 IP address ( 1 host up ) scanned in 15 seconds
t r gi tin tcpdump kt hp nu cc gi tin RST/ACK nhn.

21 :26 :22.742482 172.18.20.55.258 > 172.29.11.207.39667 : S 415920470 : 1415920470 ( 0 ) ack 3963453111 win 9112 <mss 536> (DF ) (ttl 254, id 50438 )
16
21 :26 :23.282482 172.18.20.55.53 > 172.29.11.207.39667 : R 0 : 0 ( 0 ) ack 3963453111 win 0 (DF ) ( ttl 44, id 50439 ) 21 :2 6: 24.362482 172.18.20.55.257 > 172.29.111.207.39667 : S 1416174328 : 1416174328 ( 0 ) ack 396345311 win X112 <mss 5 3 6 > ( DF ) ( ttl 254, id 504 0 ) 21: 26: 26.282482 172.18.20.55.7 > 17.2.29.11.207.39667 : R 0 : 0 ( 0 ) ack 3963453111 win 0 ( DF ) ( ttl 44, id 50441)
17
Cc Bin Php Phng Chng Phng Chng ngn cn bn tn cng im danh cc ACL b nh tuyn v bc tng la thng qua k thut admin prohibited filter", bn c th v hiu ha kh nng p ng vi gi tin ICMP type 13 ca b nh tuyn. Trn Cisco, bn c th thc hin iu ny bng cch phong ta thit b p ng cc thng ip IP khng th ng n
no ip unreachables
5. nh Danh Cng Mt s bc tng la c mt du n duy nht xut hn di dng mt sri con s phn bit vi cc bc tng la khc. V d, Check Point s hin th mt sri cc con s khi bn ni vi cng qun l SNMP ca chng, TCP 257. Tuy s hin din n thun ca cc cng 256-259 trn mt h thng thng cng l mt du ch bo v s hin din ca Firewall-1 ca Check Point song trc nghim sau y s xc nhn n :
[ root@bldg_043 # nc -v -n 192.168.51.1 257 ( UNKNOWN) [ 192.168.51.1] 257 ( ? ) open 30000003
18
[ root@bldg_043 # nc -v -n 172.29.11.19l 257 (UNKNOWN ) [ 172.29.11.191] 257 ( ? ) open 31000000
Cc Bin Php Phng Chng Pht Hin pht hin tuyn ni ca mt k tn cng vi cc cng ca bn. bn b sung mt s kin tuyn ni trong RealSecure. Theo cc bc sau: 1. Hiu chnh ni quy 2. La tab Connection Events. 3. La nut Add Connection, v in mt mc cho Check Point. 4. La ch ko xung v la nt Add. 5. in dch v v cng, nhp OK. 6. La cng mi, v nhp li OK. 7. Gi y la OK v p dng li ni quy cho ng c.
19
Phng Chng ngn cn cc tuyn ni vi cng TCP 257, bn phong ta chng ti cc b nh tuyn thng ngun. Mt Cisco ACL n gin nh di y c th khc t r rt mt n lc ca bn tn cng:
access -list 101 deny tcp any any eq 257 log ! Block Firewall- l scans
III. Qut qua cc bc tng la ng lo, on ny khng c cung cp cho bn nhc k m mt s k thut ma thut v hiu ha cc bc tng la. Thay v th, ta s tm hiu mt s k thut nhy ma quanh cc bc tng la v thu thp mt s thng tin quan trng v cc l trnh khc nhau xuyn qua v vng quanh chng.
1. hping hping (www.Genocide2600.com/-tattooman/scanners/hping066.tgz), ca Salvatore Sanfilippo, lm vic bng cch gi cc gi tin TCP n mt cng ch v bo co cc gi tin m n nhn tr li. hping tr v nhiu p ng khc nhau ty theo v s iu kin. Mi gi tin tng phn v ton th c th cung cp mt bc tranh kh r v cc kiu kim sot truy cp ca bc tng la. V d, khi dng hping ta c th pht hln cc gi tin m, b phong ta, th, v loi b.
20
Trong v d sau y, hping bo co cng 80 ang m v sn sng nhn mt tuyn ni. Ta bit iu ny bi n nhn mt gi tin vi c SA c n nh (mt gi tin SYN/ACK).
[ root@bldg_043 / opt ] # hping www.yourcompany.com -c2 - S -p80 -n HPING www.yourcomapany.com ( eth0 172.30.1.2 0 ) : S set, 40 data bytes 60 bytes from 172.30.1.20 : flags=SA seq=0 ttl=242 id= 65121 win= 64240 time=144.4 ms
Gi y ta bit c mt cng m thng n ch, nhng cha bit ni ca bc tng la. Trong v d k tip, hping bo co nhn mt ICMP unreachable type 13 t 192.168.70.2. Mt ICMP type 13 l mt gi tin lc b ICMP admin ngn cm, thng c gi t mt b nh tuyn lc gi tin.
[root@bldg_043 /opt ] # hping www.yourcompany.com -c2 -S -p23 -n HPING www.yourcompany.com ( eth0 172.30.1.20 ) : S set, 40 data bytes ICMP Unreachable type 13 f rom 192.168.70.2
Gi y n c xc nhn, 192.168.70.2 t hn l bc tng la, v ta bit n ang r rt phong ta cng 23 n ch ca chng ta. Ni cch khc, nu h thng l mt b nh tuyn Cisco n t c mt dng nh di y trong tp tin config: access -list 101 deny tcp any any 23 ! telnet Trong v d k tip, ta nhn c mt gi tin RST/ACK tr li bo hiu mt trong hai vic: (1) gi tin
21
lt qua bc tng la v h ch khng lng ch cng c , hoc (2) bc tng la thi b gi tin (nh trng hp ca quy tc reject ca Check Point).
[ root@bldg_043 /opt ] # hping 192.168.50.3 -c2 -S -p22 -n HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data bytes 60 bytes from 192.168.50.3 : flags=RA seq= 0 ttl= 59 id= 0 win= 0 time=0.3 ms
Do nhn gi tin ICMP type 13 trn y, nn ta c th suy ra bc tng la ( 192.168.70.2) ang cho php gi tin i qua bc tng la, nhng h ch khng lng ch trn cng . Nu bc tng la m bn ang qut qua l Check point, hping s bo co a ch IP ngun ca ch, nhng gi tin thc s ang c gi t NIC bn ngoi ca bc tng la Check Point. im rc ri v Check Point l n s p ng cc h thng bn trong ca n , gi mt p ng v la bp a ch ca ch. Tuy nhin, khi bn tn cng ng mt trong cc iu kin ny trn Internet, chng khng h bit s khc bit bi a ch MAC s khng bao gi chm my ca chng. Cui cng, khi mt bc tng la ang phong to cc gi tin n mt cng, bn thng khng nhn c g tr li.
[ root@bldg_04 3 /opt ] # hping 192.168.50.3 -c2 -S -p2 2 -n HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data
K thut hping ny c th c hai ngha: (1) gi tin khng th t n ch v b mt trn http://www.llion.net
22
ng truyn, hoc (2) c nhiu kh nng hn, mt thit b (t l bc tng la ca chng ta 192.168.70.2 ) b gi tin trn sn di dng mt phn cc quy tc ACL ca n.
Bin Php Phng Chng Phng Chng Ngn nga mt cuc tn cng hping khng phi l d . Tt nht, ta ch vic phong ta cc thng ip ICMP type 13 ( nh m t trong on phng chng tin trnh qut nmap trn y ).
2. Cu La Firewalk (http://www.packetfactory.net/firewalk/) l mt cng c nh tin dng, nh mt b qut cng, c dng pht hin cc cng m ng sau mt bc tng la. c vit bi Mike Schiffnlan, cn gi l Route v Dave Goldsmith, trnh tin ch ny s qut mt h ch xui dng t mt bc tng la v bo co tr li cc quy tc c php n h ch m khng phi thc t chm n h ch. Firewalk lm vic bng cch kin to cc gi tin vi mt IP TTL c tnh ton kt thc mt chng vt qu bc tng la. V l thuyt, nu gi tin c bc tng la cho php, n s c php i qua v s kt thc nh d kin, suy ra mt thng ip "ICMP TTL expired in transit." Mt khc, nu gi tin
23
b ACL ca bc tng la phong ta, n s b th, v hoc khng c p ng no s c gi, hoc mt gi tin lc b ICMP type 13 admin ngn cm s c gi.
[ root@exposed / root ] # firewalk -pTCP -S135 -140 10.22.3.1 192.168.1.1 Ramping up hopcounts to binding host . . . probe : 1 TTL : 1 port 33434 : expired from [exposed.acme.com] probe : 2 TTL : 2 port 33434 : expired from [rtr.isp.net] probe : 3 TTL : 3 port 33434 : Bound scan at 3 hops [rtr.isp.net] port open port 136 : open port 137 : open port 138 : open port 139 : * port 140 : open
S c duy nht m chng ti gp khi dng Firewalk l n c th t hn d on, v mt s bc tng la s pht hin gi tin ht hn trc khi kim tra cc ACL ca n v c th gi tr mt gi tin ICMP TTL EXPIRED. Kt qu l, Firewalk mc nhn tt c cc cng u m.
24
25
Bin Php Phng Chng
Phng Chng Bn c th phong ta cc gi tin ICMP TTL EXPIRED ti cp giao din bn ngoi, nhng iu ny c th tc ng tiu ec n kh nng vn hnh ca n, v cc h khch hp php ang ni s kh ng bao gi bit iu g xy ra vi tuyn ni ca chng.
IV. Lc gi tin Cc bc tng la lc gi tin nh Firewall-1 ca Check Point, Cisco PIX, v IOS ca Cisco (vng, Cisco IOS c th c xc lp di dng mt bc tng la) ty thuc vo cc ACL (danh sch kim sot truy cp) hoc cc quy tc xc nh xem lung lu thng c c cp quyn truyn vo/ra mng bn trong. a phn, cc ACL ny c sp t k v kh khc phc. Nhng thng thng, bn tnh c gp mt bc tng la c cc ACL t do, cho php vi gi tin i qua tnh trng m. .
Cc ACL T Do Cc danh sch kim sot truy cp (ACL) t do thng gp trn cc bc tng la nhiu hn ta thttp://www.llion.net
26
ng. Hy xt trng hp c th mt t chc phi cho php ISP thc hin cc t chuyn giao min. Mt ACL t do nh "Cho php tt c mi hot ng t cng ngun 53" c th c s dng thay v cho php hot ng t h phc v DNS ca ISP vi cng ngun 53 v cng ch 53." Nguy c tn ti cc cu hnh sai ny c th gy tn ph thc s, cho php mt hc c qut nguyn c mng t bn ngoi. Hu ht cc cuc tn cng ny u bt u bng mt k tn cng tin hnh qut mt h ch ng sau bc tng la v nh la ngun ca n di dng cng 53 (DNS). Bin Php Phng Chng
Phng Chng Bo m cc quy tc bc tng la gii hn ai c th ni u. V d, nu ISP yu cu kh nng chuyn giao min, th bn phi r rng v cc quy tc ca mnh. Hy yu cu mt a ch IP ngun v m ha cng a ch IP ch (h phc v DNS bn trong ca bn) theo quy tc m bn ngh ra. Nu ang dng mt bc tng la Checkpoint, bn c th dng quy tc sau y hn ch mt cng ngun 53 (DNS) ch n DNS ca ISP. V d, nu DNS ca ISP l 192.168.66.2 v DNS bn trong ca bn l 172.30.140.1, bn c th dng quy tc di y: Ngun gc
ch
Dch v
Hnh ng
Du vt
27
192.168.66.2
172.30. 140.1 domain-tcp
Accept
Short
V. Phn Lung ICMP v UDP Phn lch (tunneling) ICMP l kh nng ng khung d liu thc trong mt phn u ICMP. Nhiu b nh tuyn v bc tng la cho php ICMP ECHO, ICMP ECHO REPLY, v cc gi tin UDP m qung i qua, v nh vy s d b tn thng trc kiu tn cng ny. Cng nh ch yu Checkpoint DNS, cuc tn cng phn lch ICMP v UDP da trn mt h thng b xm phm ng sau bc tng la. Jeremy Rauch v Mike D. Shiffman p dng khi nim phn lch vo thc t v to cc cng c khai thc n : loki v lokid (h khch v h phc v ) -xem <http://www.phrack.com/search.phtml?view&article=p49-6> . Nu chy cng c h phc v lokid trn mt h thng ng sau bc tng laa cho php ICMP ECHO v ECHO REPLY, bn cho php bn tn cng chy cng c h khch (loki), ng khung mi lnh gi i trong cc gi tin ICMP ECHO n h phc v (lokid). Cng c lokid s tho cc lnh, chy cc lnh cc b , v ng khung kt xut ca cc lnh trong cc gi tin ICMP ECHO REPLY tr li cho bn tn cng. Dng k thut ny, bn tn cng c th hon ton b qua bc tng la.
28
Bin Php Phng Chng
Phng Chng ngn cn kiu tn cng ny, bn v hiu ha kh nng truy cp ICMP thng qua bc tng la hoc cung cp kh nng truy cp kim sot chi tit trn lung lu thng ICMP. V d, Cisco ACL di y s v hiu ha ton b lung lu thng ICMP pha ngoi mng con 172.29.10.0 (DMZ) v cc mc tiu iu hnh:
access - list 101 permit icmp any 172.29.10.0 0.255.255.255 8 ! echo access - list 101 permit icmp any 172.29.10.0 0.255.255.255 0 ! echo- reply access - list 102 deny ip any any log ! deny and log all else
Cnh gic: nu ISP theo d thi gian hot ng ca h thng bn ng sau bc tng la ca bn vi cc ping ICMP (hon ton khng nn!), th cc ACL ny s ph v chc nng trng yu ca chng. Hy lin h vi ISP khm ph xem h c dng cc ping ICMP kim chng trn cc h thng ca
29
bn hay khng.
30
Tm Tt Trong thc t mt bc tng la c cu hnh k c th v cng kh vt qua. Nhng dng cc c ng c thu thp thng tin nh traceroute, hping, v nmap, bn tn cng c th pht hin (hoc ch t suy ra) cc l trnh truy cp thng qua b nh tuyn v bc tng la cng nh kiu bc tng la m bn ang dng. Nhiu ch yu hin hnh l do cu hnh sai trong bc tng la hoc thiu s gim st ep iu hnh, nhng du th no, kt qu c th dn n mt cuc tn cng i ha nu c khai thc. Mt s im yu c th tn ti trong cc h gim qun ln cc bc tng la lc gi tin, bao gm cc kiu ng nhp web, telnet, v localhost khng thm nh quyn. a phn, c th p dng cc bin php phng chng c th ngn cm khai thc ch yu ny, v trong vi trng hp ch c th dng k thut pht hin. Nhiu ngi tin rng tng li tt yu ca cc bc tng la s l mt dng lai ghp gia ng dng gim qun v cng ngh lc gi tin hu trng [stateful] s cung cp vi k thut hn ch kh nng cu hnh sai. Cc tnh nng phn ng cng s l mt phn ca bc tng la th h k tip. NAI thc thi mt dng nh vy vi kin trc Active Security. Nh , ngay khi pht hin cuc xm phm, cc thay i c thit k sn s t ng khi pht v p dng cho bc tng la b nh hng. V d, nu mt IDS c th pht hin tin trnh phn lch ICMP, sn phm c th hng bc tng la ng cc yu cu ICMP ECHO vo trong bc tng la. Bi cnh nh vy lun l c hi cho mt cuc tn cng khc t
31
dch v; l l do ti sao lun cn c mt cc nhn vin bo mt kinh nghim.
32

Firewall

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewall

Uploaded by

Copyright:

Available Formats

Chng IV : Cc kiu tn cng vo Firewall v cc bin php phng chng

open open filtered

tcp tcp tcp

domain http sunrpc

Nmap run completed - 1 IP address ( 1 host up ) scanned in 15 seconds

t r gi tin tcpdump kt hp nu cc gi tin RST/ACK nhn.

[ root@bldg_043 # nc -v -n 172.29.11.19l 257 (UNKNOWN ) [ 172.29.11.191] 257 ( ? ) open 31000000

K thut hping ny c th c hai ngha: (1) gi tin khng th t n ch v b mt trn http://www.llion.net

Bin Php Phng Chng

172.30. 140.1 domain-tcp

Bin Php Phng Chng

dch v; l l do ti sao lun cn c mt cc nhn vin bo mt kinh nghim.

You might also like