November 29, 2013 at 11:47 am #8623ccpikParticipant
I have a question I was wondering if someone could help me out. I have been reading around for few days now and cannot seem to find an answer. I thought of a scenario last week and can’t figure out what the outcome would be.
Example: A system has multiple servers and they are behind a firewall. One server has an open port and is running a vulnerable version of a service. If an attacker was to connect to the open port on the server (through the firewall) and launch exploit code…would the firewall pick it up? Or, would the firewall not be reviewing it as the port is open for the application?
Disclaimer: this is not real world, it is a hypothetical question
Thanks for any advice
November 29, 2013 at 12:16 pm #53669UKSecurityGuyParticipant
Your question needs a bit more information to get an accurate answer.
Is the firewall a layer 4 (Dumb) or Layer 7 (Application) firewall?
Is there an IDS in place that can modify the firewall on the fly?
What do you mean by “pick it up” ?
I’m going to make the following assumptions:
1. The firewall has only one external IP address and the servers are NATTED behind it
2. There is a port forwarding rule on the external interface to one of the internal servers
3. The firewall is a layer 4 firewall and has no IDS/IPS/AV/etc modules in it.
Based on the above – the firewall will “pick it up” that you’re sending data to the server, but simply won’t care what it is. The exploit is going to be at layer 7 of the OSI stack (Application) and the firewall only has the means to operate at Layer 4 (Transport). The firewall will simply forward all traffic to the server, exploit code and all.
Hope that makes sense.
November 29, 2013 at 2:05 pm #53670ccpik1Participant
Thank you that is indeed very helpful. The firewall would be a layer 7 next gen, Palo for example. The servers would be NATTED and data passed through the firewall before it gets to them, else the data would pass directly to them (not NATTED)?
December 2, 2013 at 9:47 am #53671UKSecurityGuyParticipant
It really depend on the capabilities of the firewall then.
Some come with IPS modules in them that will look for exploit traffic, and stop it. Some though simply apply rules to the application data they see and drop anything that looks ‘malformed’. If your exploit complies with the firewall’s protocol rules and it doesn’t have a IPS module in it – then it’ll pass through. If not, it should get dropped.
- You must be logged in to reply to this topic.