42
“Hacking NGFW & NGIPS for Fun and Profit.” Jonathan Suldo Information Security Analyst @ Arma-Net [email protected] Talk Length:45 Min. Topic An Abstracted Penetration Testing Methodology for auditing Enterprise grade UTM, NGFW, SIEM, and IDS/IPS Section -

HackingAppliances_Fv

Embed Size (px)

Citation preview

Page 1: HackingAppliances_Fv

“Hacking NGFW & NGIPS for Fun and Profit.”

Jonathan SuldoInformation Security Analyst @ Arma-Net

[email protected] Length:45 Min.

Topic

An Abstracted Penetration Testing Methodology for auditing Enterprise grade UTM, NGFW, SIEM,

and IDS/IPS

Page 2: HackingAppliances_Fv

Http://www.Arma-Net.org Http://www.Braedenengr.com

Speaker: Jonathan SuldoContact E-Mail: [email protected]

TWITTER:@ArmaNet_

Introduction

Page 3: HackingAppliances_Fv

Section - 1 Key Feature Differentiators between UTM, NGFW, Cisco ASA, and SIEM.

Intended to help you understand these products and how they’re usedSection - 2 Popular Detection IDS & FW utilities and their usage in typical network

topographies.

Section - 3 Methods and Tool-sets for Evading Firewalls and IDS Evasion Countermeasures IDS & FW Abstract Methodology IDS & FW Penetration Testing

Section - 4 Tools and Reporting Format utilized to translate and present metrics from

auditing data. Creation of your own Virtual Testing Lab/Testing Stack

Section – 5 Advanced Malware Emulation Advanced Evasion Techniques(APT) Testing

Objectives:Intent & Outline

Section - 1

Page 4: HackingAppliances_Fv

Take-Away:

Section - 1

Market Leading Enterprise Security Appliance Vendors and their offerings.

Identifying Key features in next generation security appliances.

FW and IDS evasion tools and techniques

Counter Measures against common evasion techniques

Steps for creating a personalized “Abstract Penetration Testing Methodology”

Personal Lab Creation

Advanced Malware POC

Advanced AET

Page 5: HackingAppliances_Fv

Logos /Names of popular NGFW

and UTM

Section - 1

Leading Enterprise UTMs Leading Enterprise NGFW

Page 6: HackingAppliances_Fv

Unified Threat Management (UTM) sprung up as a term in about 2004 from the research company IDC

Defined an emerging class of products that combined multiple security features

Defined:

UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilized, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated.

Source: IDC, Worldwide Threat Management Security Appliances 2004-2008 Forecast and 2003 Vendor Shares: The Rise of the Unified Threat Management Security Appliance © 2004

Unified Threat Management

Key Differentiators UTM & NGFWOverview

Section - 1

Page 7: HackingAppliances_Fv

Next-Generation Firewall (NGFW) sprang up in about 2011 with Gartner and Palo Alto Networks championing this term

Claimed uniqueness as a technology due to application control

Defined: A class of firewalls designed to filter network and

Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls. Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities in order to provide smarter and deeper inspection. In many ways, a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.

-Webopedia

Next Generation FireWalls

Key Differentiators UTM & NGFWOverview - Continued

Section - 1

Page 8: HackingAppliances_Fv

Next-generation firewalls are similar to UTM devices in that they are consolidated network security devices and operate as an inline security barrier with network security policy capabilities in real time. The most significant difference is that they provide a subset of the technologies included in most UTM solutions.

Can be a patchwork of stand-alone technologies can have the opposite effect on network visibility as well as performance. These threat-specific technologies don’t talk to each other easily (if at all). They lack central management and monitoring because each product operates on its own. Plus, data from individual devices aren't aggregated to create a complete or holistic view. How can you manage the security of a network if you can’t really see it end to end?

A NGFW focus on firewall, URL filtering, IPS filtering, de-encryption.  

Are for ” Enterprise sized” networks-mobile workforces.

If single point of compromise If the UTM is successfully hacked, there may not be other layers deployed for protection(Buy an HA pair, deploy active-active cluster).

Performance issues - latency and bandwidth issues can arise since this is a “choke point” device that requires a lot of processing.

Have been traditionally engineered to work for medium and small size business setup

Many UTM platforms can become a single point of failure if exploited.

NGFW

VS

UTM

Key Differentiators UTM & NGFWOverview Continued

Page 9: HackingAppliances_Fv

Enterprise Grade Security Solutions

UTM and NGFW

Section - 1

Page 10: HackingAppliances_Fv

Granular visibility and control Tracks and logs slots for translations Provides web security onsite or in the cloud Works to combine stateful firewall with next generation network

security services "Cisco Secure PIX Firewall," filters both connection-oriented and

connection-less protocols based on whether a host inside has requested data. This is only one example of many where the granularity of a firewall exceeds that available on a router

Standalone appliances are tailor-made for small and midsize business Engineered to move away from Cisco ASA’s traditional means for

detection occurring on the session layer of OSI model or the TCP layer of TCP/IP

Cisco ASA 5500-X Series(FirePOWER )

Next-Generation Firewalls

Section - 1

Page 11: HackingAppliances_Fv

Security Information Event Management

Section - 1

Popular SIEM Vendors

AlienVault: AlienVault Unified Security Management Platform OpenSource!

Hewlett-Packard : HP ArcSight ESM

LogRhythm:LogRhythm’s SIEM and Security Analytics Platform

McAfee :McAfee Enterprise Security Manager

SolarWinds : SolwarWinds Log & Event Manager

Splunk: Splunk Enterpise

Page 12: HackingAppliances_Fv

Determine an Effective SIEM Solution

1.Does your SIEM Dashboard have too many non-actionable alerts?

2. Does your SIEM display and reports critical metrics on Dashboards?

3.Does your SIEM Dashboard support Drill down Functionality?

4. Does your SIEM detect early sign of Attacks on Internal and External Networks?

5. Does your SIEM detect classical internal network attacks like ARP Poisoning,

MITM Attacks, Exploitation, and New Devices connecting to network?

Real-Time Detection Capabilities

Can provide a range of tools and functionalities to facilitate the management of security-related events, by assessing log data and correlating information coming from various sources.

Advanced SIEM technologies support data visualization capabilities, which can help the security analyst quickly assess events and trends using graphical rendering tools.

Archived Record Management

Functions can be characterized as supporting non-real-time data analysis. Through the centralized collection and standardization of disparate system and application in formation (such as system logs, audit trails, event logs, and transaction records), the security analyst can consult the archive and retrieve information

Page 13: HackingAppliances_Fv

One view of assessing the maturity of an organization in terms of the deployment of log-management tools might use successive categories such as:  Level 1: in the initial stages, organizations use different log-analyzers for analyzing the

logs in the devices on the security-perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.

Level 2: with increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security-perimeter.

Level 3: at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information-assets whose availability organizations regard as vital.

Level 4: organizations integrate the logs of various business-applications into an enterprise log manager for better value proposition.

Level 5: organizations merge the physical-access monitoring and the logical-access monitoring into a single view.

NIST:SDLC-SP800-64-Revision2

Development Life CycleSIEMS

Page 14: HackingAppliances_Fv

Evasion Gateway: Applies known evasion techniques to

circumvent firewalls, routers ,and IDSs

A system that monitors the network and detects inappropriate, incorrect,

or anomalous activitiesVS

IDS VS IPS

• A system that detects intrusion or an attack and takes active steps to prevent them. Can alter actual network traffic malicious traffic is detected.

• Our Next-Generation IPS is designed with open APIs to interact with all of the best-of-breed technologies that you have already deployed in the multiple areas.

Section -

NIST Guide:SP800-94-IDPSHttp://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

Intrusion Protection SystemIntrusion Detection System

Page 15: HackingAppliances_Fv

IDS Network Implementation and Functions

Section - 2

Page 16: HackingAppliances_Fv

IDS Network Implementation and Functions

Section - 2

Page 17: HackingAppliances_Fv

Network-Based Intrusion Detection

-These mechanisms are placed inline on an network, set to

promiscuous mode in order to monitor traffic for signs of

intrusion.

Host-Based Intrusion Detection-These mechanisms monitor

events on a specific host.-Are uncommon due to require

continuous monitoring.

Log File Monitoring-These mechanisms log/parse

files “post-event”

File Integrity Checking-This mechanism will monitor file structure modification in

an attempt to recognize unauthorized system access.

Types of Intrusion Detection Systems

Page 18: HackingAppliances_Fv

Intrusion Detection Tools

Intrusion Detection UtilitiesSNORT & TIPPING POINT

Page 19: HackingAppliances_Fv

Typical Large Enterprise Network Layout

Section - 2

Page 20: HackingAppliances_Fv

Firewall Architecture, Types, Detection:

Section - 2

Page 21: HackingAppliances_Fv

Firewall Architecture, Types, Detection:

Section - 2

Page 22: HackingAppliances_Fv

Firewall Architecture, Types, Detection

Section - 2

Page 23: HackingAppliances_Fv

Insertion Attack Fragmentation Attack

EvasionNetBIOS/SMB HTTP[29-31] MSRPC[10, 11]

Denial-of-Service

Fragmentation Attack Overlapping Fragments

Obfuscation Time-to-live attacks

False Positive Generation Invalid RST packets

Session Splicing(Transformed URLs)

Urgency Flag

Unicode Evasion Polymorphic Shell code

ASSCI Shell code

IDS Evasion Techniques against Conventional Defenses

Section - 3

Page 24: HackingAppliances_Fv

IP Address Spoofing Bypassing a Firewall through the ICMP Tunneling Method

(Loki ICMP Tunneling)

Bypass Blocked Sites Using Anonymous

Website Surfing Sites.

Source Routing(Yesernia Tool)

Bypassing a Firewall through the ACK

Tunneling Method

Bypass Blocked Sites Using Anonymous

Website Surfing Sites.

Tiny Fragments Bypassing a Firewall through the HTTP Tunneling Method

Bypassing a Firewall through a MITM Attack

Bypass Blocked Sites Using IP Address in

Place of URL

TCP-over-DNS Bypassing a Firewall through External

Systems

Arbitrary Code Execution

Layered Evasion

FW Evasion Techniques against Conventional Defenses

Section - 3

Page 25: HackingAppliances_Fv

Firewall Evasion Tools

Snare Agent for Windows : http://www.intersectalliance.com AckCmd : http://ntsecurity.nu Tomahawk : http://tomahawk.sourceforge.net Atelier Web Firewall Tester : http://www.atelierweb.com Freenet : https://freenetproject.org Gtunnel : http://gardennetworks.org Hotspot Shield : http://www.anchorfree.com Proxifier : http://www.proxifier.com Vpn One Click : http://www.vpnoneclick.com

Packet Fragment Generators

Colasoft Packet Builder : http://www.colasoft.com CommView : http://www.tamos.com Hping3 : http://www.hping.org Multi-Generator (MGEN) : http://cs.itd.nrl.navy.mil Net-Inspect : http://search.cpan.org Nconvert : http://www.xnview.com fping 3 : http://fping.org NetScanTools Pro : http://www.netscantools.com Pktgen : http://www.linuxfoundation.org PacketMaker : http://www.jdsu.com

FW Evasion Tools & Packet Fragment Generators

Section - 3

Page 26: HackingAppliances_Fv

Countermeasures To Provide protection against IDS/FW Evasion

Section - 3

Page 27: HackingAppliances_Fv

Countermeasures To Provide Protection Against IDS/FW Evasion

Section - 3

Page 28: HackingAppliances_Fv

Firewall/IDS pen testing is required to:

Check if firewall/IDS and components within network, properly enforce an organization's network security policy-Untrusted, DMZ, and Trusted.

Verify whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not.-

Check the firewall/IDS for potential breaches

Check the strength of firewall/IDS protection against externally initiated attacks-Fire Wall Engress testing

Check the effectiveness of the network's security perimeter

Check how much information about a network is available from outside a network

Evaluate the correspondence of firewall/IDS rules with respect to the actions performed by them

Verify organization's firewall/ IDS policy enforcement

Specialized FW & IDS Penetration Testing Methodology

Section - 3

Page 29: HackingAppliances_Fv

Fire-Wall Penetration Testing:Foot Printing

Section - 3

Page 30: HackingAppliances_Fv

FireWall Penetration Testing

Section - 3

Page 31: HackingAppliances_Fv

FireWall Penetration Testing

Section - 3

Page 32: HackingAppliances_Fv

Firewall Penetration Testing-Continued

Page 33: HackingAppliances_Fv

IDS Penetration Testing

Section - 3

Page 34: HackingAppliances_Fv

IDS Penetration Testing

Section - 3

Page 35: HackingAppliances_Fv

Latex

Dradis

Magic-Tree

KeepNote

Lab Notebook(**ELN) Ever note

Network Topography• Microsoft Visio

Tools and Format utilized to translate and present metrics from auditing

data

Section - 4

Reporting Criteria

Reporting ToolsDescription

Analysis/ Exposure

Recommendations

Reference: CVE

Page 36: HackingAppliances_Fv

Testing Lab Creation

Choosing the Virtual Environment

Commercial Environment

Image Conversion

Convert Physical to virtual

All “normal” network traffic ,background load traffic, and exploit traffic is transmitted through the firewall, from external to internal. The same traffic is mirrored to multiple SPAN ports of the external gateway switch, to which network monitoring devices are connected. The network monitoring devices ensure that the total amount of traffic being sent and received by the DUT. The management interface is used to connect the appliance to the management console on a private subnet. This ensures that the firewall and console can communicate even when the target subnet is subjected to heavy loads.

Page 37: HackingAppliances_Fv

Testing Methodology against NGFW and NGIPS

Section - 5

Exploit Testing against chained commonly used technologies

NGFW will be tested on it’s ability to block and prevent attacks , while maintaining several principle “functionality standards”

Testing for Traditional “first generation firewall”

Test Including: • Basic packet filtering Stateful multi- ‐layer inspection NAT VPN Highly Stable High Availability Application awareness/control User/group control Integrated IPS Ability to operate at layer 3 (“traditional”) External intelligence To enhance blocking decisions (i.e.,“reputation services”) Attack Replication taken from Threat Monitoring

Feeds

Security Effectiveness

Resistance to Evasion

Stability

Performance Management

Value

Minimal Packet Loss

Page 38: HackingAppliances_Fv

DNS settings manipulation VS Blacklisted Domains• DGA Module DNS query

Process hiding• RootKits and BootKits• GPU RooKit-jellyfish, Demon,Win_jelly,

Sandbox Detection• Code Stalling

• Malware Environment Checks

Advanced Malware

Section - 5

Example Environment Checks-Python

Page 39: HackingAppliances_Fv

Polymorphic Worms(Poli-worm) Polymorphic worms are a headache for IPS vendors with their

ability to change their “finger print” upon replication.• Used to self replicate(bypassing NIDS), and utilizing commonly

used protocols to “blend in”

Covert Channels Prevalent in todays mobile workforce-(BYOD/BYOWD)• Gmail-Trojan.IcoScript.A-POC code on Github• Evernote,GoogleDrive,DropBox

USB firmware• RowHammer• BadBios• BadUSB

Advanced Malware

Section - 5

Page 40: HackingAppliances_Fv

Advanced Malware- AV Evasion 101

Page 41: HackingAppliances_Fv

Attacking IPV6• IOT affecting the Threat Landscape• Rose Fragmentation Attack• Approaches to new IPv6 attack vectors:

-IPv6 issues: type/order extension header,# of occurrences, size, fields, Subsequent header value in each IPv6 fragment, Fragmentation(where it’ll be segmented/split)Chiron - An all-in-one IPv6 Pen Testing Framework(https://groups.google.com/forum/#!topic/ipv6hackers/hKkC1qszZ_8)

Experimenting with Hybrid(Multiple) AETs A Well known tool –Mcaffee ‘s Evader

Network based defenses essential against emerging Vulnerabilities.• Countered with anomaly based protection

Detection Avoidance When Conceptualizing AETs:• Security Intelligence Events, C&C Detection via protocol analysis• Contextual NGIPS Events• Endpoint Malware Events

Advanced Evasion TechniquesAET

Section - 5

Page 42: HackingAppliances_Fv

Acknowledgement & Questions

Information for this talk was pulled from a multitude of open source resources related to the subject. I would like to extend a thanks and appropriate acknowledgment to all contributors.