.

Firewall question

<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Fri Nov 29, 2013 6:47 am

Firewall question

Hi guys,

I have a question I was wondering if someone could help me out. I have been reading around for few days now and cannot seem to find an answer. I thought of a scenario last week and can't figure out what the outcome would be.

Example: A system has multiple servers and they are behind a firewall. One server has an open port and is running a vulnerable version of a service. If an attacker was to connect to the open port on the server (through the firewall) and launch exploit code...would the firewall pick it up? Or, would the firewall not be reviewing it as the port is open for the application?

Disclaimer: this is not real world, it is a hypothetical question

Thanks for any advice
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Fri Nov 29, 2013 7:16 am

Re: Firewall question

Your question needs a bit more information to get an accurate answer.

Is the firewall a layer 4 (Dumb) or Layer 7 (Application) firewall?
Is there an IDS in place that can modify the firewall on the fly?
What do you mean by "pick it up" ?


I'm going to make the following assumptions:

1. The firewall has only one external IP address and the servers are NATTED behind it
2. There is a port forwarding rule on the external interface to one of the internal servers
3. The firewall is a layer 4 firewall and has no IDS/IPS/AV/etc modules in it.

Based on the above - the firewall will "pick it up" that you're sending data to the server, but simply won't care what it is. The exploit is going to be at layer 7 of the OSI stack (Application) and the firewall only has the means to operate at Layer 4 (Transport). The firewall will simply forward all traffic to the server, exploit code and all.

Hope that makes sense.
<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Fri Nov 29, 2013 9:05 am

Re: Firewall question

Thank you that is indeed very helpful. The firewall would be a layer 7 next gen, Palo for example. The servers would be NATTED and data passed through the firewall before it gets to them, else the data would pass directly to them (not NATTED)?
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Mon Dec 02, 2013 4:47 am

Re: Firewall question

It really depend on the capabilities of the firewall then.

Some come with IPS modules in them that will look for exploit traffic, and stop it. Some though simply apply rules to the application data they see and drop anything that looks 'malformed'. If your exploit complies with the firewall's protocol rules and it doesn't have a IPS module in it - then it'll pass through. If not, it should get dropped.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software