The NRL IS Security Course Handbook

Problems With Firewalls

A firewall can consist of a router, a personal computer, a host, or a collection of hosts. Firewalls represent a restriction on information flow and, as such, are not always treated favorably. The following problems restrict their application and use.

1. Firewalls block some services to the outside world such as TELNET, FTP, X Windows, and NFS that users inside the network want. In some cases, these services are needed by the network and would require major network re-structuring if blocked.

2. Firewalls do not protect against back door attacks. A back door attack could include a modem attack which could allow the use of a Serial Line IP (SLIP) or a Point-to-Point Protocol (PPP) connection.

3.Inside the network (insider) attacks are not restricted by a network firewall.

4. Information servers and clients such as those for World Wide Web, gopher, WAIS, etc. expose firewalls to data-driven attacks whereby the data processed by the clients can contain instructions to the clients.

5. Encapsulated packets, such as those used for multicast IP transmissions, are forwarded through the firewall without an examination of their contents. These packets can contain viruses or commands which could alter security mechanisms in place.

Where is Protection Applied

Although there are sometimes problems, packet filtering is normally employed using a packet filter router. IP packets can be filtered based on source IP address, destination IP address, TCP/UDP source port, and TCP/UDP destination port. Adding TCP or UDP port filtering to IP address filtering adds flexibility to the firewall design. Protocols to filter include tftp, X windows, RPC, rlogin, rsh, and rexec.
Software applications are also available which forward and filter connections for services such as TELNET and FTP. These are referred to as proxy services, and when combined with packet filter routers provide higher levels of security and flexibility.

Firewall Attacks/Testing

This approach will verify the firewall's ability to stop network based attacks. Firewall tests/attacks would concentrate on three primary areas: test each port; test proxy services, test all services provided by the firewall to ensure they are safe services.

- Source routing attacks against the firewall to verify that source routing and it's associated problems are not vulnerabilities.

- Attacks against every TCP/UDP port on the firewall to verify that the ports that the firewall are supposed to close are in fact closed.

- Attacks on any proxy services to try and gain access. Proxy services should only allow limited use and this test would verify that they could not be compromised. Especially useful when attacked via source routing tests.

- Tests of all sendmail daemons and checks to see if mail attacks would be effective on systems beyond the firewall (after mail has been forwarded or allowed to pass).

- Active attacks with various routing protocols in an attempt to destroy the current routing tables modify the routing tables for use in further attacks etc.

- Bombardment of the firewall with various denial of services attacks in an attempt to shut down communications and/or crash the firewall including ICMPs broadcast storms brought about by IP forwarding from a remote network etc.