Firewall Lab

From Security Lab Wiki

Firewalls are an integral part of any secure network, but are just one piece of the security puzzle. A firewall is a tool that can monitor and stop packets from moving further into your network/computer or keep them from leaving it. It can be hardware or software based.

This lab will look at firewalls, how to configure them and how to determine firewall rules so they can be broken. The focus will be on incoming traffic, however, outgoing traffic is just as serious of a problem.

Contents 1 Getting Started 1.1 Options 1.1.1 Explore Wndows XP default firewall 1.1.2 Explore Comodo 1.2 Set up rules 2 Firewall Rule Detection 3 Questions 4 Resources

Getting Started

This lab is purposefully vague to encourage exploration. Please don't hesitate to ask questions if you are confused on not sure about how to use the firewall if the linked docs do not answer your question.

You should work in groups of at least 2. Everyone is required to complete all of the steps in the lab. Then you scan a member of your group. Work together so everyone knows how to configure the firewall, but if you set custom settings use different ones from your group and keep it secret.

If you complete this lab in the security lab, please uninstall/disable any firewallswhen you are finished.

Options

The following subcategories are the two recommended paths.

Explore Wndows XP default firewall

For this lab make sure the default firewall is turned on. You may tweak settings or leave it as-is. To change firewall settings consult this guide or this one.

Explore Comodo

Comodo is one of the highest rate software firewalls for Windows. It features fine tune rules control, which leads to some complexity that is not present with the relatively weak XP firewall. Download it here. Download Comodo Firewall Pro, not the security suite. The user manual is available here.

Set up rules

If you want to set up custom rules. It is a good idea to set a few to see how the process works. Examples of custom rules might be to block certain ports from specific IP's(or all) or allow other ports(even if nothing is bound to them). On some of the ports that the firewall will block, bind a server socket to it.The possibilities are endless.

Even a default firewall is a good target to test how well it works.

Another option is to try to get past the firewall from the inside. Some simple firewalls ignore outgoing traffic, so if the user downloads and installs malware it can do whatever it likes on the network.

Firewall Rule Detection

The first step in determining firewall rules is to find the firewalls. For this lab that is not a problem, but on unknown networks a technique called Firewalking is often employed. Firewalking is a heavily modified traceroute that determines if the current hop is a firewall and then starts probing it when found.

For our purposes NMAP will work fine. Standard scans such as SYN(-sS), ACK(-sA), and UDP(-SU) can be employed to figure out rules. Pay attention to what is reported as filtered with the SYN and ACK scans, if a rst is not returned, then filtered is reported. This is the firewall dropping the packet in blatant violation of RFC 793.

More advanced methods include, using spoofed return addresses along with the idle scan. This is difficult to pull off, mainly because you need to find a third machine that increments its ID header in the IP packet.

Other useful scans include XMAS scan(-sX), maimon scan(-sM), FTP bounce scan(-b), FIN(-sF), NULL(-sN) described here. More scan include mixing scans such as SYNFIN(nmap -sS --scanflags SYNFIN <target>), SYNRST. PSH and TCP Window(-sW) scans may prove useful depending on the type of firewall.

All of these scans are described in great detail in the official NMAP book and is well worth buying although some of the chapters are available for free.

For this lab research these scans and see why they work to come up with a few scans against the target firewall. Don't just use one scan as you will miss many details.

Questions

• Write down the OS and firewall you used.
• If you set any custom rules, write them down.
• Write down the results of the firewalking scans against your partners firewall.(Include your partners name)
• List some ways it might be possible to get around the firewall to exploit the target machine.
• Why is it a bad idea to run multiple firewalls on a single computer?
• Is it a bad idea to run multiple hardware/software firewalls on a LAN(WAN, MAN, etc)? Why?
• Is there a legitimate reason to perform firewall detection scans? Why? If yes give an example.

Resources

An article explaining problems with firewall and what they do at low levels

Evolution of the firewall

Wikipedia entry

Firewalking information