Focus on: The firewall

By on

One of the most trusted security elements, it can nonetheless be misconfigured and play right into the hands of the hacker.


Your firewall should be invisible from the public internet. For example, a TCP SYN packet should simply be dropped. Don't reply with a reset, or the attacker will know that there's something on the end of the IP address.

If the hacker can't see your firewall, then you have a layer of protection before you even start.


This is the neutral ground between your internal network and the internet. The key benefit of a demilitarised zone (DMZ) is separation. By introducing another layer of security you separate the information an attacker could access away from the main corporate network. It would be bad for an attacker to access your web server, but it's much less dangerous than if they were able to directly access your whole corporate network via your main web server.

However, the separation a DMZ provides does negatively impact on performance. Configuration needs to be done carefully and is a cost that must be factored in.


The gateway to the internal network, this is where you keep the crown jewels which you want to keep the hacker away from.


1. Rule sets

It's necessary to define who can and can't get through the firewall using rule sets. Start from "deny all" and work up - explicitly allowing business-critical traffic, but be as granular as possible. Be wary of the "any" rule; a more discrete rule offers more security. Watch out for the priority in which rules are dealt with, as it's easy for rules to conflict. Rules should be well annotated; otherwise you end up at the mercy of your firewall admin, who is then the only person in your business who understands your firewall. What happens if they leave? You need a strong change control procedure. All too often, old rules are left in a rule set, because no one thought to put in a date for the rule to be removed.

2. State table

A stateful inspection firewall holds a state table; this makes it difficult for the hacker to intercept and spoof a valid connection. These firewalls can also understand more complex protocols, which may use arbitrary ports for connections.

3. Application firewalls

Application firewalls inspect deeper into the packet traffic, so rather than checking whether a packet is simply being routed out on port 80, it checks that the traffic is actually HTTP. They will also check that the traffic is formed correctly, preventing some packet crafting attacks.

The depth of inspection into the packet is key - the deeper you go, the higher the performance overhead, but the greater the degree of security assurance. new technologies are emerging that may help mitigate this problem.

Some common firewall issues Misconfiguration problems include a bug in some earlier versions of CP FW-1, resulting in TCP port 18264 being left open to the internet. The certificate revocation list retrieved from this port and relating service immediately advertises the brand, version and sometimes the internal DNS name of the firewall to the hacker.

Some early Watchguard firewalls had a facility that allowed automatic "shunning" of IP addresses that appeared to be attempting to port scan the firewall. This could be turned against the firewall by a hacker through a simple "spoofing" attack.

One of the easiest ways to hack a firewall is "tunneling". To trick the firewall into giving you internet access, you could hide your HTTP traffic in a DNS packet, usually the CNAME field which allows free text. Your server at home can receive the DNS packets and recompile your HTTP traffic, providing access.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?