FireStorm storms next generation firewalls

A new vulnerability was discovered with Next Generation Firewalls, dubbed as FireStorm, bypassing firewall limitations to send out data. This can be used by malicious code to interact with command-and-control server and send out data. These firewalls were designed to allow full TCP handshake, irrespective of the destination.

This is said to be applicable only if the devices were configured to allow web browsing to specific locations, with URL filtering.

ICMP tunnelling is another technique, where the payload is sent via the data field in the ICMP header. UDP and HTTP tunnelling techniques, encapsulates payload within the L7 layer.

In this case, the firewall allows three way TCP handshake, to detect what type of L7 application is being used. The first SYN request, which is used for initiating connection request, can carry any payload within the data section of TCP header.

I believe that a series of SYN requests, containing split data, is enough to send out data, without even needing a full handshake. Well, a response (payload within SYN+ACK) from the destination saying, "I got ya", cant be bad for a confirmation.

Is payload in data field of TCP header of a SYN request, an anomaly? Can Next Generation Firewall read TCP headers and block SYN requests with some payload?

It is interesting to note that typical proxy applications accept tcp connections on the proxy server, and then initiates requests to the external server, after going through ACLs.

References:

Dinesh Gunasekar - | Tags : Tunnelling, firewall
comments powered by Disqus