How can attackers bypass firewalls?

  • I have read the Wikipedia article on firewalls but don't understand firewall security and how an attacker from the outside can bypass the firewall to hack target system.

    We all know it happens but what methods make it possible to do that?

    As it stands I feel like this question is too broad to adequately answer. I think it would be better to break it down to several more specific questions that might be more reasonably answerable.

    Wikipedia hardly constitutes a source for detailed information about how firewalls work.

    Keeping this open for @Polynomial's answer and the fact that I still here people going around talking about how good their firewall is, that they have 3 of them, etc. Thanks, Hollywood.

    I think the question is poorly researched (the wikipedia link actually has a large amount of info about firewalls, and google is your friend) but as Jeff says, Polynomial's answer is good.

    the question is there are people who do not open email attachments (at least not @main machine) so how actually they hacked ? i don't know you herd about 1 trillion$ recently government said about cybercrime damage yearly which is mostly information theft like industry documents from manufactories etc. we use firewall but still system get owned (i don't talk about SQL injection or malwares). the answer i herd i think is about even on closed ports with perfect firewall rules still good unknown exploits works

    Ted - this is a different question. Is this what you really want to ask? The thing you need to know is that a perfect firewall is still a collection of holes - it is **designed** to let traffic through. That is its job - the problem is the applications behind it!

    Ted, welcome to [security.se] - but it does seem as if your question is all over the place. The specific things you mention are orthogonal to each other (e.g. email and firewall) - I think you should do some basic research on what "security" is in this context.

  • Firewalls aren't "bypassed" in the sense Hollywood would have you believe. They operate by checking incoming and outgoing traffic against a set of rules. These rules might be based on metadata (e.g. port number, IP address, protocol type, etc) or real data, i.e. the payload of the packet.

    For example:

    • Drop all incoming packets from IP address 1.2.3.4
    • Drop all incoming TCP packets on port 22, unless they're from IP address 2.3.4.5
    • Drop all incoming TCP packets with the RST flag set, when the sequence number does not match that of a known connection.
    • Drop all incoming and outgoing NetBIOS packets.
    • Drop all incoming packets on TCP port 80 that contain the ASCII string 0x31303235343830303536.

    Modern firewalls are usually comprised of the following rule sets:

    • Base rule set - usually "block all" followed by a list of exceptions for commonly used services / protocols (e.g. outgoing HTTP requests)
    • Custom rule set - a set of user rules designed to override / complement the base rule set.
    • Signature rule set - a set of signatures to prevent against known exploits. The last rule in my list is an example of this - it detects the Havij SQL injection tool. These usually override all other rules. This set is analogous to an anti-malware database, and must be updated frequently.

    Bypassing a firewall isn't really something that can be done. All traffic that goes through it is filtered according to the configured rules. However, a firewall only does what it is told - a misconfigured or out of date firewall might allow an attack through.

    Ways I can think of to get round a firewall:

    • Literally go around it. Find another entry point to the network that does not pass through the firewall. For example, send some malware or an exploit to an internal user via email.
    • Exploit a misconfigured firewall by crafting packets that don't trigger the rules. Difficult, but potentially possible.
    • Send custom exploit payloads to the target on an open port. Firewalls can only identify known exploits.

    +1 for good explanations and good examples, nice!

    The question is when a military network computer hacked... they probably didn't opened an exe file in email and your other example on sending 0-day exploit on open port looks not working too because they will close all ports perhaps. So how it really happen?

    @Ted your assumption about the military not opening an email attachment is dead wrong. And, at least one firewall port has to be open for the computer to be participating on the network.

    @schroeder Not necessarily on the firewall angle. It could be a stateful firewall, at which point it doesn't need any ports open. Only time you need a port open is if you're offering a service, and even then you might limit the source address range for incoming connections. Other than that, though, I agree with you. The military are just people like any others. They still sometimes open email attachments and click on links without thinking. Or get their devices infected and accidently pwn the internal network on BYOD-day.

    @Polynomial well those happy face departments maybe but when we say pentagon network hacked by china there is no email attachment ... so a good exploit work even on closed ports and firewall can't do much about it..?

    @Ted I've never heard such claims, but what proof is there that the attack *wasn't* done via social engineering in an email or similar communication? The Pentagon is, after all, just a building with a bunch of politicians, personal assistants, secretaries, military staff, cleaners, IT tech guys, security guards, etc. inside it. They communicate via email and other methods. It's an important building, but it's little more than an office space in reality. There's always a way to contact these people externally, which means there's a potential for email attachments or bad links.

    If you're talking about military networks like SIPRNet and JWICS, it's very difficult to identify potential attack vectors. The networks themselves are (as far as we know) isolated, and the protocols used on them are unknown. However, analysts and intelligence officers in the field may have access to these networks. A foreign power might exploit any form of vulnerability in the communications, or simply steal the equipment and credentials. At this point, the firewalls aren't involved at all. They simply steal the data from a legitimate connection.

    Simplest solution for national espionage is the people angle - it is relatively cheap, and not that difficult - which is why vetting is taken so seriously.

    so firewall work well to filtering and do not fail , the problem is we can't filter unknown exploits and they will work even if we close all ports as i understood ...

    The point is that the firewall is *not* a catch-all. If you try to send traffic through it, it'll block, filter or accept that traffic based on the rules it has been configured with. Secondly, if an attacker can talk to your network through an entry point that *does not* use a firewall, they can attack your network. Finally, even if you use a firewall on *every single network entry point* and *every single machine*, it still cannot identify dangerous payloads that it doesn't know about, e.g. an email with a link to a phishing site.

    To add to the list of ways to get around a firewall there is social engineering. Trick the user into believing they need to disable their firewall or something they want won't work.

  • The easiest way to get around a firewall is what is known as 'client-side' attacks. If a computer on the protected side of the firewall makes a valid connection to an attacker, there is nothing to trigger a typical firewall rule. For example, if a firewalled computer makes an HTTP connection on port 80 to a website designed to exploit browser (or Java) vulnerabilities, there is little for the firewall to recognize as malicious: web traffic over a web port.

    Once a foothold is gained within the network, the attacker can set up encrypted tunnels that pass through the firewall on allowed ports, which is another kind of 'bypass'.

    On the topic of direct firewall attacks, tools exist to map out how a firewall is configured for various ports. With this information, traffic can be configured to pass through the firewall. At the simplest level, fragmenting packets can be effective in not triggering various firewall and IPS rulesets because each packet does not contain enough data. The firewall has to be configured to store the entire fragmented packet set before inspection.

    Also check out this page: http://ericjang.tumblr.com/post/22807430775/thursday-hacking-adventures-xxxss-and-creepy and the link in it to Samy's DEFCON 16 talk. Punching inbound holes into an outbound NAT router is doable.

  • The answer really depends on your definition of "bypassing".

    The most important factor in ensuring a firewall provides maximum protection is to ensure it is configured appropriately. A firewall is a dumb device in the sense that you must configure what you'd like it to allow through/block. A poorly configured firewall will leave gaping holes in your attack surface. If an attacker gets in, it's not the firewall's fault; it was just doing what it was told. One could argue that the firewall hasn't technically been "bypassed" because it was never told to restrict the relevant traffic in the first place.

    Depending on the feature-set of the firewall, it will only allow you to restrict access in certain ways. Although some penetration techniques might try to exploit a vulnerability or weakness in the firewall's software - which I guess you could class as "bypassing" - the majority of techniques are focused on exploiting poorly configured firewalls (see point above), or systems that are behind the firewall. As an example, if you have a poorly configured SSH server behind the firewall, then it's not the firewall's fault that the attacker was able to authenticate as root with "password" as a password. The firewall was configured to only allow access via port 22 (SSH), so it's done its job. Again, one could rightly argue that the firewall hasn't been bypassed in this situation, but someone's still got into your network.

    Some firewalls offer more advanced features such as intrusion prevention and application layer filtering. IPS firewalls make an attempt to understand the content of the traffic that's flowing and block some common methods of exploiting weaknesses in systems hosted behind it. Again, this relies on careful configuration to be effective. If you haven't enabled the correct IPS protections, then it's not the firewall's fault if someone successfully exploits that vulnerability. Some penetration techniques exist which try to slip traffic past these protections in a form that doesn't trigger the block, but still exploits the weakness. It's a cat-and-mouse game similar to anti-virus. I guess you could call these "bypassing" the firewall.

    In short, a firewall is only as good as the admin who is configuring it, and it can only be expected to restrict traffic based on its capabilities. It's no substitute for hardening the systems behind it, which is where most attacks will focus.

  • Firewalls are core elements in network security. However, managing firewall rules, especially for enterprise networks is a complex and error-prone task. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition, inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and all other rules in order to determine the proper order of this rule and commit the updates. Identifying the anomalies in Firewall rule configurations is a much heated research topic and there is a lot of research on it some of which i find interesting is.

    The goal of the attacker is to expoilt these anomalies in firewall configurations and it is done through firewall fingerprinting in which he send benign packet to guess firewall rules and find loopholes in them .To prevent such sort of exploitation most firewall are deploy behind IPS in a pattern call DMZ where IPS tries to prevent firewall fingerprinting through heuristics or statistical measurement (entropy) i.e. port scanning .

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM