13 Ways Through a Firewall – What You Don’t Know Will Hurt You

Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 2013

13 Ways Through A Firewall What you don’t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions andrew . ginter @ waterfall - security . com

®

Mike Firstenberg Director of Industrial Security Waterfall Security Solutions michaelf @ waterfall - security . com

Scientech 2013 Symposium: Managing Fleet Assets and Performance


Firewalls

● Firewalls – separate networks and sub-networks with different security / connectivity needs

● Often first investment any site makes when starting down the road to an ICS cyber security program

● “Unified Threat Managers” – firewalls with stateful inspection, VPNs, in-line anti-virus scanning, intrusion detection, intrusion prevention, anti-spam, web filtering, and much more – but are they secure?

● DMZ – “in-between” network(s)

● ICS best practice: layers of firewalls, layers of host and network-based defenses

Photo: Red Tiger Security


Setup for Demo Scenarios

● Industrial firewall / UTM

● Business network – my laptop + “hacked host”

● Control network – ICS server to attack / take over + one other ICS host

● Consider only one-hop compromise – into DMZ, or into ICS from DMZ


Compensating Measures

Abbrev Compensating Measure

2-FACT 2-Factor authentication

ENC Encryption

RULES Better firewall rules

HIDS Host intrusion detection / prevention system / SIEM

NIDS Network intrusion detection / prevention system / SIEM

SECUPD Security updates / patch program

UGW Unidirectional security gateway

Graphic Impact

Would have prevented / detected the attack

Would prevent / detect some variants of the attack

Would not have prevented / detected the attack


#1 Phishing / Spam / Drive-By-Download

● Single most common way through (enterprise) firewalls

● Client on business network pulls malware from internet, or activates malware in email attachment

● “Spear-phishing” – carefully crafted email to fool even security experts into opening attachment

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#2 Social Engineering – Steal a Password

● VPN password on sticky note on monitor, or under keyboard

● Call up administrator, weave a convincing tale of woe, and ask for the password

● Ask the administrator to give you a VPN account

● Shoulder-surf while administrator enters firewall password

● Guess

● Install a keystroke logger

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#3 Compromise Domain Controller – Create Account

● More generally – abuse trust of external system

● Create account / change password of exposed ICS server, or firewall itself

● Other external trust abuse – compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc.

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#4 Attack Exposed Servers

● Every exposed port is vulnerable:

● SQL injection

● buffer overflow

● default passwords

● hard-coded password

● denial of service / SYN-flood

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#5 Attack ICS Clients via Compromised Servers

● Best practice: originate all cross-firewall TCP connections on ICS / trusted side

● Once established, all TCP connections are bi-directional – attacks can flow back to clients:

● compromised web servers

● compromised files on file servers

● buffer overflows

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#6 Session Hijacking / Man-in-the-Middle

● Requires access to communications stream between authorized endpoints – eg: ARPSpoof (LAN), fake Wi-Fi access point, hacked DNS server

● Insert new commands into existing communications session

● Sniff / fake session ID / cookie and re-use

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#7 Piggy-Back on VPN

● You may trust the person you have granted remote access, but should you trust their computer?

● Broad VPN access rules – “I trust this user to connect to any machine, on any port” makes it easy for worms and viruses to jump

● Split-tunneling allows interactive remote control

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#8 Firewall Vulnerabilities

● Firewalls are software. All large software artifacts have bugs, and some of those bugs are security vulnerabilities and zero-days

● Vendor back-doors / hard-coded passwords

● Supply chain issues – do you trust the manufacturer? The manufacturer’s suppliers?

● Occasional design vulnerabilities 2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#9 Errors and Omissions

● Modern firewalls require 6-8 weeks full-time training to cover all features and all configurations

● The smallest errors expose protected servers to attack

● Over time, poorly-managed firewalls increasingly resemble routers

● Well-meaning corporate IT personnel often control firewall configurations and can reach through to “fix” ICS hosts

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#10 Forge an IP Address

● Most firewall rules are expressed in terms of IP addresses

● Any administrator can change the IP address on a laptop or workstation

● Works only if attacker is on same LAN segment as true IP address – or WAN routers route response traffic to a different LAN

● May need ARPSpoof to block machine with real IP 2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#11 Bypass Network Security Perimeter

● Complex network architectures – path from business network to ICS network through only routers exists, but is not obvious

● Rogue wireless access points

● Rogue cables – well meaning technicians eliminate “single point of failure” in firewall

● ICS network extends outside of physical security perimeter

● Dial-up port 2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#12 Physical Access to Firewall

● If you can touch it, you can compromise it

● Reset to factory defaults

● Log in to local serial port, change settings with CLI

● Re-arrange wiring

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


#13 Sneakernet

● Removable media, especially USB sticks, carried past physical / cyber security perimeter

● Entire laptops, workstations and servers carried past physical / cyber security perimeter

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW


Demo

Warning: the issues demonstrated in the following slides apply to all firewalls, not just the firewall vendors and models illustrated. It is a mistake to interpret the following slides as a criticism of specific firewalls or specific

firewall vendors.


Firewall Vulnerability – Cross-Site Request Forgery















● Uses web browser credentials for logged-in sites

● “Blind” technique – script cannot read from foreign web page

● Can however, push changed data to web server, as if user had pressed “send”

Lesson: Cross-site scripting vulnerabilities are rampant in web applications of all kinds, including ICS applications. CSRF has been public knowledge for over a decade

Mitigation: Modify web application to use hidden fields to echo random data back to web site on pages that change application state. Browsers prevent each site’s scripts from seeing data coming from another site, so foreign scripts cannot echo random data back to protected website


Errors and Omissions – Can You See The Error?


Errors and Omissions – Address Range Too Broad


Errors and Omissions – Can You See the Error?


Errors and Omissions – Rule for DHCP Address


Errors and Omissions

● “andrews-machine” address was really for an entire subnet

● See this only when you go to the screen which defines “andrews-machine” address

● Correcting this problem is not sufficient – the address was in the DHCP range

● See this only when you go to the DHCP server definition screen

● Andrew’s machine needs to be given a static IP address

Lesson: Full-featured firewalls are complex. Reviewing configurations to ensure they are safe is not straightforward.


Firewall Design Vulnerability

















● Browsers enforce “can’t touch other site’s web pages” rule when scripts and web pages come from different sites

● Within a site, scripts can touch web pages at will – this is how complex web applications work

● Hiding many web sites behind a single proxy address is very “convenient” – web browser is your SSL client

● Web browsers cannot enforce “can’t touch other site’s web pages” rules when scripts and web pages all appear to originate at the same site

Lesson: Clientless/browser SSL clients are designed to hide many sites behind one address. Unless browser designs or clientless SSL designs change, hosts behind such proxy-site web servers will always be vulnerable to each other’s scripted attacks.


Hacking ICS Servers


Hacking ICS Servers


Hacking ICS Servers


Hacking ICS Servers – 100,000 Vulnerabilities

● A major vendor recently reported counting over 50,000 buffer-overflow-capable C library calls in one 2,000,000 LOC product

● All such calls are currently being replaced

● Do the math:

● Assume 2% of all overflow-capable calls are vulnerabilities

● 10 major vendors world-wide, in at least 5 verticals

● Assume at least 3 2MLOC products unique to each vertical

● Assume at least 75% of these products still written in C/C++

● The math: 2% x 50,000 calls x 10 vendors x 5 verticals x 3 products x 75% = at least 100,000 vulnerabilities waiting to be found

Lesson: Attacking firewall-exposed ICS servers with zero-day exploits will be straightforward for the foreseeable future


Keeping Score

Score Abbrev Compensating Measure

7 2-FACT 2-Factor authentication

7 ENC Encryption

11 RULES Better firewall rules

8 HIDS Host intrusion detection / prevention system / SIEM

9 NIDS Network intrusion detection / prevention system / SIEM

9 SECUPD Security updates / patch program

20 UGW Unidirectional security gateway

Graphic Score Impact

2 Would have prevented / detected the attack

1 Would prevent / detect some variants of the attack

0 Would not have prevented / detected the attack


● Headquarters in Israel, sales and operations office in the USA

● Hundreds of sites deployed in all critical infrastructure sectors

Best Practice Award 2012, Industrial Network Security

IT and OT security architects should consider Waterfall for their operations networks

Waterfall is key player in the cyber security market –2010, 2011, & 2012

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors

Waterfall Security Solutions


Stronger Than Firewalls

● Firewalls are porous

● Given the “elephants in the room,” perimeter protection will always be disproportionately important:

● 100,000 vulnerabilities

● Plain-text device communications

● Dissonance between ECC and IT’s “constant change” patch programs

● Long life-cycles for physical equipment

andrew . ginter @ waterfall - security . com

www.waterfall-security.com

michaelf @ waterfall - security . com

2-FACT

ENC

RULES

HIDS

NIDS

SECUPD

UGW

http://www.waterfall-security.com/



Technology

13 Ways Through a Firewall – What You Don’t Know Will Hurt You