Firewalls under fire: Redoubts or beachheads?

Redoubts or beachheads?

Cybersecurity loves exciting metaphors.

Sometimes, those metaphors may feel a bit over-the-top for the attacks they are applied to.

Warhead for any deliberate side-effect of malware, for example; detonation for the moment at which the malware is used; and the military designations of red team and blue team for pretend intruders and actual defenders.

But most of us are willing to accept such dramatic terminology, even if there are no armed invasions or actual explosions, because cyberattacks can be devastating and costly, as ransomware criminals remind us every time we read of a new intrusion.

That’s why we chose three dramatic metaphors for our headline:

• Firewall. Originally, a firewall was a literal dividing wall built between two connected buildings or two parts of an industrial plant so that even a raging fire on one side wouldn’t inevitably spread to the other. The term is now better known for describing computer systems that aim to regulate network connections, such as the link between a home or work network and the rest of the internet, in order to keep the good stuff in, and the bad stuff out.
• Redoubt. In the physical world, this is an additional defensive fortification built outside existing fortified areas, often close to a border crossing point or in a natural harbor, as a self-contained mini-fortress to help repel a marauding enemy before they can gather in sufficient numbers to turn a skirmish into an invasion.

• Beachhead. What happens when a coastal redoubt is put out of action or overrun by attackers, who then turn what used to be a defensive fortification into an attacking position from which to launch a wholesale invasion and to continue supplying it by sea.

Network redoubts

Network firewalls have been known by many names over the past few decades, each name generally reflecting a different degree of redoubtability.

Plain old routers, which pass packets between different networks based on the source and destination data in their headers, can nevertheless provide a degree of firewall-style protection by applying simple rules that go beyond just knowing which networks are on each side of the router.

For example, the router can be programmed not merely to marshal packets to and from the ‘outside’ or ‘inside’, but also to divert some traffic to ‘nowhere,’ quietly protecting internal data from leaking out where it shouldn’t, and blocking external data from known bad sites being used to probe or attack internal targets.

Secure routers, or secure gateways, do more than just look at packet headers, perhaps analyzing the content of individual packets for potentially dangerous content.

Stateful inspection gateways go further still, for example by identifying packets that set up a connection, and then tracking and analyzing future packets based on knowing which connection they belong to.

This opens the way to a firewall that can make decisions at a connection level, for example by sending back “shutdown” packets to close risky connections individually, instead of only being able to react by blocking all traffic from an entire network, even those that are both safe and important.

Firewalls can also act as so-called proxies, so that connections into and out of the network terminate at the firewall itself, which then decides whether it is prepared to create a separate but onward connection to the true destination.

By shuttling traffic between two independent connections, a proxy can store up, or buffer, a whole sequence of packets, or even a full network request, before passing on the first part of it, an approach that lends itself to much more thorough security filtering techniques.

For email traffic, for instance, a proxy-capable firewall could tell prospective email senders to treat the firewall as the “end of the line,” instead of the true email server that the sender wishes to talk to, and therefore receive those emails in their entirety first.

A mail proxy can therefore take its time to examine each message in full before deciding what to do with it, rather than letting a message start going through because the subject line and headers look innocent, only to find a rogue attachment right at the end that means it would have been better to block the whole thing.

Proxy protection can loosely be divided into two classes: explicit, where apps that want to use a service must be individually configured to connect directly to the proxy, and transparent, where any connections to a specific service are invisibly re-routed by the firewall to a security-filtering version of that service before they’re allowed any further.

Trust me, I’m a security device

Firewalls unavoidably act as traffic concentrators and inspectors that end up knowing an awful lot about the users in your network, what they generally get up to, where they go to do it, when they do it, and much more.

That makes firewalls attractive targets for cybercriminals.

Metaphorically put, an infiltrated firewall turns from a redoubt that is supposed to repel eavesdroppers and attackers into a beachhead. (That is not a typo for breachhead, which is not a real word, even though perhaps it should be.)

Compromised firewalls become jumping-off points from which remote criminals can initiate attacks, map your network, conduct surveillance, inject malware, extract passwords, and much more.

Trickily, many firewalls, all the way from home and small business routers to top-end servers, are sold as physical or virtual appliances.

You’re not meant to take charge of them directly in the same way that you might manage, say, a Windows or a Linux server.

In some cases you can’t log in at all, even just to “look around” via a non-administrative account.

Instead, you’re limited to a web-based interface or API (application programming interface) that allows you to control only those settings and configuration details that the vendor chooses to expose.

Your firewall may have threat-hunting features that can identify compromised devices elsewhere on your network, but may itself be off-limits to third-party threat analysts or threat detection and response tools.

For example, scanning your firewall with a malware detector of your choice, in case unwanted software has been implanted on it, may be as good as impossible.

And if you suspect a compromise, then extracting suspicious files and other artifacts for threat researchers to analyze may be more difficult still.

Snooping opportunities aplenty

As you can imagine, this opens up a rather wide range of snooping opportunities for rogue software implants, and those implants may be significantly harder to detect and remediate than they would be on a traditional server.

For example, firewall malware could inject itself directly into the traffic filtering and scanning process, including any stages where encrypted data is deliberately unwrapped for security analysis.

Or rogue firewall code could snoop on the memory used by the existing filters and scanners in the system (a trick known in the jargon as RAM scraping), looking out passwords or authentication tokens, yet never showing up in the regular list of firewall processes at all.

Additionally, although firewalls are meant to stop external network connections from reaching most or all internal devices to protect them from direct probes and attacks, they are often open to external connections themselves, in order to provide a range of useful services, such as:

• Remote configuration by trusted administrators.
• Secure VPN (virtual private network) login by users with the right passwords and access codes.
• A self-service setup process for new users getting ready to work remotely, or for existing remote users who have just upgraded their laptops or mobile phones.

Misconfiguration of any of these services, or exploitable bugs in them, could leave the way open for attackers to implant malware they can come back to later.

Exploitable firewall bugs could also allow criminals to leap right into the network in one step, for example by setting up rogue VPN connections, or sneaking through the registration process and becoming “new users” themselves.

Attacks on everyone else

It’s also important to remember that compromised firewalls are often used not to snoop on or to attack your own internal network, but simply as a launching point for attacks on other people and other companies, leaving you to take the initial blame if those attacks are spotted and investigated.

Criminals who can silently implant firewall malware that doesn’t affect your own connections from inside the network may be able to send and receive traffic on the internet side your firewall only for weeks, months, or even years.

Some attackers do this so they can operate an unauthorized proxy server (essentially an unofficial VPN) that they “rent out” to other criminals, essentially reselling your network bandwidth, and more importantly your network address and identity, as online cover for a wide range of cybercrimes.

Also, criminals who have control over malware on thousands or even hundreds of thousands of network-edge devices at the same time can generate traffic that has direct access to the internet without giving themselves away visibly on the inside of your network.

Many home networks run at 1 gigabit per second these days, and even entry-level internet connections typically provide 20 megabit per second or more of outbound connectivity, so that 10,000 infected devices can provide hundreds of gigabits per second, or even terabits per second, of “instant-on” bandwidth, distributed apparently innocently throughout the world.

Cybercrimes conducted with a large collection of devices like this, known as a botnet (bot is short for software robot, and net for network), can cost other internet users dearly, for example due to:

• Distributed Denial of Service (DDoS) attacks. By simultaneously instructing thousands of innocent-looking networks to generate genuine-looking traffic, attackers can overwhelm online businesses at will, because legitimate visits can’t easily be differentiated from bogus ones. DDoS attackers sometimes do this as a form of digital vandalism against companies they don’t like, or to harm competitors, but often the purpose is to blackmail the victim into paying protection money to avoid future attacks.
• Click fraud. By generating millions of genuine-looking web requests that are indistinguishable from customer inquiries or ad responses, criminals can generate revenue from pay-per-click or sponsored links that they operate themselves, or that are run by fellow criminals who cut them in on their fraudulent earnings. They exploit your network address to bypass existing blocklists and fraud detection filters.

Of course, if those blocklists are subsequently updated in an attempt to mitigate the attack, then it is you who will be blocklisted, not the true criminals.

What to do?

• If you have a router or firewall managed directly by your ISP, consider adding a second firewall of your own back-to-back with it. Connect any file servers or shared printers to your own device instead. Turn off Wi-Fi service on the ISP’s device and configure it on the device you own and control yourself. Treat the ISP’s firewall as if it is off-site and inaccessible in a street cabinet or a remote server room somewhere.
• Patch early, patch often. Even big-name firewall vendors sometimes code serious bugs into their appliances. Make firewall patches an important priority, given that a hacked firewall is a dangerously centralized spot for a cybercrime beachhead. Replace routers and firewall appliances that are no longer supported by the vendor. They may report themselves as “running the latest available version,” even though they are riddled with old vulnerabilities that will never be patched. Cybercriminals already know how to find and exploit such holes, and are very likely to do so.
• Learn how to extract available security logs from your firewall and scrutinize them regularly. Even if you can’t install your own selection of threat monitoring tools on the firewall, make sure you are at least examining the system and network logs that the device officially allows you to export. Don’t neglect evidence that is there for the taking anyway.
• Check your firewall’s behavior from the outside as well as the inside. Even if you can’t login and examine the firewall directly, you can monitor its network activity from both sides. Keep track of any network ports and service accessible from the outside; look for unexpected or unwanted connections; and consider using network monitoring or penetration testing tools to probe for outdated or known-vulnerable software that can be reached remotely. If you come across security holes that the vendor can’t or won’t fix, find another vendor.
• Don’t be afraid to ask for help. Let SolCyber take care of looking after the technical details of your cybersecurity protection, and help you build a human-centric, plain-English cybersecurity culture without needing to set up and manage a security operations center (SOC) of your own. Get in touch today, and let us help you improve your security posture fast!

Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of brick wall by Dave Webb via Unsplash.