Embed Size (px)
Citation preview
“Hacking NGFW & NGIPS for Fun and Profit.”
Jonathan SuldoInformation Security Analyst @ Arma-Net
[email protected] Length:45 Min.
Topic
An Abstracted Penetration Testing Methodology for auditing Enterprise grade UTM, NGFW, SIEM,
and IDS/IPS
Http://www.Arma-Net.org Http://www.Braedenengr.com
Speaker: Jonathan SuldoContact E-Mail: [email protected]
TWITTER:@ArmaNet_
Introduction
Section - 1 Key Feature Differentiators between UTM, NGFW, Cisco ASA, and SIEM.
Intended to help you understand these products and how they’re usedSection - 2 Popular Detection IDS & FW utilities and their usage in typical network
topographies.
Section - 3 Methods and Tool-sets for Evading Firewalls and IDS Evasion Countermeasures IDS & FW Abstract Methodology IDS & FW Penetration Testing
Section - 4 Tools and Reporting Format utilized to translate and present metrics from
auditing data. Creation of your own Virtual Testing Lab/Testing Stack
Section – 5 Advanced Malware Emulation Advanced Evasion Techniques(APT) Testing
Objectives:Intent & Outline
Section - 1
Take-Away:
Section - 1
Market Leading Enterprise Security Appliance Vendors and their offerings.
Identifying Key features in next generation security appliances.
FW and IDS evasion tools and techniques
Counter Measures against common evasion techniques
Steps for creating a personalized “Abstract Penetration Testing Methodology”
Personal Lab Creation
Advanced Malware POC
Advanced AET
Logos /Names of popular NGFW
and UTM
Section - 1
Leading Enterprise UTMs Leading Enterprise NGFW
Unified Threat Management (UTM) sprung up as a term in about 2004 from the research company IDC
Defined an emerging class of products that combined multiple security features
Defined:
UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilized, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated.
Source: IDC, Worldwide Threat Management Security Appliances 2004-2008 Forecast and 2003 Vendor Shares: The Rise of the Unified Threat Management Security Appliance © 2004
Unified Threat Management
Key Differentiators UTM & NGFWOverview
Section - 1
Next-Generation Firewall (NGFW) sprang up in about 2011 with Gartner and Palo Alto Networks championing this term
Claimed uniqueness as a technology due to application control
Defined: A class of firewalls designed to filter network and
Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls. Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities in order to provide smarter and deeper inspection. In many ways, a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.
-Webopedia
Next Generation FireWalls
Key Differentiators UTM & NGFWOverview - Continued
Section - 1
Next-generation firewalls are similar to UTM devices in that they are consolidated network security devices and operate as an inline security barrier with network security policy capabilities in real time. The most significant difference is that they provide a subset of the technologies included in most UTM solutions.
Can be a patchwork of stand-alone technologies can have the opposite effect on network visibility as well as performance. These threat-specific technologies don’t talk to each other easily (if at all). They lack central management and monitoring because each product operates on its own. Plus, data from individual devices aren't aggregated to create a complete or holistic view. How can you manage the security of a network if you can’t really see it end to end?
A NGFW focus on firewall, URL filtering, IPS filtering, de-encryption.
Are for ” Enterprise sized” networks-mobile workforces.
If single point of compromise If the UTM is successfully hacked, there may not be other layers deployed for protection(Buy an HA pair, deploy active-active cluster).
Performance issues - latency and bandwidth issues can arise since this is a “choke point” device that requires a lot of processing.
Have been traditionally engineered to work for medium and small size business setup
Many UTM platforms can become a single point of failure if exploited.
NGFW
VS
UTM
Key Differentiators UTM & NGFWOverview Continued
Enterprise Grade Security Solutions
UTM and NGFW
Section - 1
Granular visibility and control Tracks and logs slots for translations Provides web security onsite or in the cloud Works to combine stateful firewall with next generation network
security services "Cisco Secure PIX Firewall," filters both connection-oriented and
connection-less protocols based on whether a host inside has requested data. This is only one example of many where the granularity of a firewall exceeds that available on a router
Standalone appliances are tailor-made for small and midsize business Engineered to move away from Cisco ASA’s traditional means for
detection occurring on the session layer of OSI model or the TCP layer of TCP/IP
Cisco ASA 5500-X Series(FirePOWER )
Next-Generation Firewalls
Section - 1
Security Information Event Management
Section - 1
Popular SIEM Vendors
AlienVault: AlienVault Unified Security Management Platform OpenSource!
Hewlett-Packard : HP ArcSight ESM
LogRhythm:LogRhythm’s SIEM and Security Analytics Platform
McAfee :McAfee Enterprise Security Manager
SolarWinds : SolwarWinds Log & Event Manager
Splunk: Splunk Enterpise
Determine an Effective SIEM Solution
1.Does your SIEM Dashboard have too many non-actionable alerts?
2. Does your SIEM display and reports critical metrics on Dashboards?
3.Does your SIEM Dashboard support Drill down Functionality?
4. Does your SIEM detect early sign of Attacks on Internal and External Networks?
5. Does your SIEM detect classical internal network attacks like ARP Poisoning,
MITM Attacks, Exploitation, and New Devices connecting to network?
Real-Time Detection Capabilities
Can provide a range of tools and functionalities to facilitate the management of security-related events, by assessing log data and correlating information coming from various sources.
Advanced SIEM technologies support data visualization capabilities, which can help the security analyst quickly assess events and trends using graphical rendering tools.
Archived Record Management
Functions can be characterized as supporting non-real-time data analysis. Through the centralized collection and standardization of disparate system and application in formation (such as system logs, audit trails, event logs, and transaction records), the security analyst can consult the archive and retrieve information
One view of assessing the maturity of an organization in terms of the deployment of log-management tools might use successive categories such as: Level 1: in the initial stages, organizations use different log-analyzers for analyzing the
logs in the devices on the security-perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.
Level 2: with increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security-perimeter.
Level 3: at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information-assets whose availability organizations regard as vital.
Level 4: organizations integrate the logs of various business-applications into an enterprise log manager for better value proposition.
Level 5: organizations merge the physical-access monitoring and the logical-access monitoring into a single view.
NIST:SDLC-SP800-64-Revision2
Development Life CycleSIEMS
Evasion Gateway: Applies known evasion techniques to
circumvent firewalls, routers ,and IDSs
A system that monitors the network and detects inappropriate, incorrect,
or anomalous activitiesVS
IDS VS IPS
• A system that detects intrusion or an attack and takes active steps to prevent them. Can alter actual network traffic malicious traffic is detected.
• Our Next-Generation IPS is designed with open APIs to interact with all of the best-of-breed technologies that you have already deployed in the multiple areas.
Section -
NIST Guide:SP800-94-IDPSHttp://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Intrusion Protection SystemIntrusion Detection System
IDS Network Implementation and Functions
Section - 2
IDS Network Implementation and Functions
Section - 2
Network-Based Intrusion Detection
-These mechanisms are placed inline on an network, set to
promiscuous mode in order to monitor traffic for signs of
intrusion.
Host-Based Intrusion Detection-These mechanisms monitor
events on a specific host.-Are uncommon due to require
continuous monitoring.
Log File Monitoring-These mechanisms log/parse
files “post-event”
File Integrity Checking-This mechanism will monitor file structure modification in
an attempt to recognize unauthorized system access.
Types of Intrusion Detection Systems
Intrusion Detection Tools
Intrusion Detection UtilitiesSNORT & TIPPING POINT
Typical Large Enterprise Network Layout
Section - 2
Firewall Architecture, Types, Detection:
Section - 2
Firewall Architecture, Types, Detection:
Section - 2
Firewall Architecture, Types, Detection
Section - 2
Insertion Attack Fragmentation Attack
EvasionNetBIOS/SMB HTTP[29-31] MSRPC[10, 11]
Denial-of-Service
Fragmentation Attack Overlapping Fragments
Obfuscation Time-to-live attacks
False Positive Generation Invalid RST packets
Session Splicing(Transformed URLs)
Urgency Flag
Unicode Evasion Polymorphic Shell code
ASSCI Shell code
IDS Evasion Techniques against Conventional Defenses
Section - 3
IP Address Spoofing Bypassing a Firewall through the ICMP Tunneling Method
(Loki ICMP Tunneling)
Bypass Blocked Sites Using Anonymous
Website Surfing Sites.
Source Routing(Yesernia Tool)
Bypassing a Firewall through the ACK
Tunneling Method
Bypass Blocked Sites Using Anonymous
Website Surfing Sites.
Tiny Fragments Bypassing a Firewall through the HTTP Tunneling Method
Bypassing a Firewall through a MITM Attack
Bypass Blocked Sites Using IP Address in
Place of URL
TCP-over-DNS Bypassing a Firewall through External
Systems
Arbitrary Code Execution
Layered Evasion
FW Evasion Techniques against Conventional Defenses
Section - 3
Firewall Evasion Tools
Snare Agent for Windows : http://www.intersectalliance.com AckCmd : http://ntsecurity.nu Tomahawk : http://tomahawk.sourceforge.net Atelier Web Firewall Tester : http://www.atelierweb.com Freenet : https://freenetproject.org Gtunnel : http://gardennetworks.org Hotspot Shield : http://www.anchorfree.com Proxifier : http://www.proxifier.com Vpn One Click : http://www.vpnoneclick.com
Packet Fragment Generators
Colasoft Packet Builder : http://www.colasoft.com CommView : http://www.tamos.com Hping3 : http://www.hping.org Multi-Generator (MGEN) : http://cs.itd.nrl.navy.mil Net-Inspect : http://search.cpan.org Nconvert : http://www.xnview.com fping 3 : http://fping.org NetScanTools Pro : http://www.netscantools.com Pktgen : http://www.linuxfoundation.org PacketMaker : http://www.jdsu.com
FW Evasion Tools & Packet Fragment Generators
Section - 3
Countermeasures To Provide protection against IDS/FW Evasion
Section - 3
Countermeasures To Provide Protection Against IDS/FW Evasion
Section - 3
Firewall/IDS pen testing is required to:
Check if firewall/IDS and components within network, properly enforce an organization's network security policy-Untrusted, DMZ, and Trusted.
Verify whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not.-
Check the firewall/IDS for potential breaches
Check the strength of firewall/IDS protection against externally initiated attacks-Fire Wall Engress testing
Check the effectiveness of the network's security perimeter
Check how much information about a network is available from outside a network
Evaluate the correspondence of firewall/IDS rules with respect to the actions performed by them
Verify organization's firewall/ IDS policy enforcement
Specialized FW & IDS Penetration Testing Methodology
Section - 3
Fire-Wall Penetration Testing:Foot Printing
Section - 3
FireWall Penetration Testing
Section - 3
FireWall Penetration Testing
Section - 3
Firewall Penetration Testing-Continued
IDS Penetration Testing
Section - 3
IDS Penetration Testing
Section - 3
Latex
Dradis
Magic-Tree
KeepNote
Lab Notebook(**ELN) Ever note
Network Topography• Microsoft Visio
Tools and Format utilized to translate and present metrics from auditing
data
Section - 4
Reporting Criteria
Reporting ToolsDescription
Analysis/ Exposure
Recommendations
Reference: CVE
Testing Lab Creation
Choosing the Virtual Environment
Commercial Environment
Image Conversion
Convert Physical to virtual
All “normal” network traffic ,background load traffic, and exploit traffic is transmitted through the firewall, from external to internal. The same traffic is mirrored to multiple SPAN ports of the external gateway switch, to which network monitoring devices are connected. The network monitoring devices ensure that the total amount of traffic being sent and received by the DUT. The management interface is used to connect the appliance to the management console on a private subnet. This ensures that the firewall and console can communicate even when the target subnet is subjected to heavy loads.
Testing Methodology against NGFW and NGIPS
Section - 5
Exploit Testing against chained commonly used technologies
NGFW will be tested on it’s ability to block and prevent attacks , while maintaining several principle “functionality standards”
Testing for Traditional “first generation firewall”
Test Including: • Basic packet filtering Stateful multi- ‐layer inspection NAT VPN Highly Stable High Availability Application awareness/control User/group control Integrated IPS Ability to operate at layer 3 (“traditional”) External intelligence To enhance blocking decisions (i.e.,“reputation services”) Attack Replication taken from Threat Monitoring
Feeds
Security Effectiveness
Resistance to Evasion
Stability
Performance Management
Value
Minimal Packet Loss
DNS settings manipulation VS Blacklisted Domains• DGA Module DNS query
Process hiding• RootKits and BootKits• GPU RooKit-jellyfish, Demon,Win_jelly,
Sandbox Detection• Code Stalling
• Malware Environment Checks
Advanced Malware
Section - 5
Example Environment Checks-Python
Polymorphic Worms(Poli-worm) Polymorphic worms are a headache for IPS vendors with their
ability to change their “finger print” upon replication.• Used to self replicate(bypassing NIDS), and utilizing commonly
used protocols to “blend in”
Covert Channels Prevalent in todays mobile workforce-(BYOD/BYOWD)• Gmail-Trojan.IcoScript.A-POC code on Github• Evernote,GoogleDrive,DropBox
USB firmware• RowHammer• BadBios• BadUSB
Advanced Malware
Section - 5
Advanced Malware- AV Evasion 101
Attacking IPV6• IOT affecting the Threat Landscape• Rose Fragmentation Attack• Approaches to new IPv6 attack vectors:
-IPv6 issues: type/order extension header,# of occurrences, size, fields, Subsequent header value in each IPv6 fragment, Fragmentation(where it’ll be segmented/split)Chiron - An all-in-one IPv6 Pen Testing Framework(https://groups.google.com/forum/#!topic/ipv6hackers/hKkC1qszZ_8)
Experimenting with Hybrid(Multiple) AETs A Well known tool –Mcaffee ‘s Evader
Network based defenses essential against emerging Vulnerabilities.• Countered with anomaly based protection
Detection Avoidance When Conceptualizing AETs:• Security Intelligence Events, C&C Detection via protocol analysis• Contextual NGIPS Events• Endpoint Malware Events
Advanced Evasion TechniquesAET
Section - 5
Acknowledgement & Questions
Information for this talk was pulled from a multitude of open source resources related to the subject. I would like to extend a thanks and appropriate acknowledgment to all contributors.
