My organization uses security appliances like Web gateways and firewalls because we thought they improved security, but now researchers at Black Hat Europe have found that such appliances are filled with vulnerabilities themselves. How concerned should enterprises be about firewall vulnerabilities, and how can we test and remediate appliances against the most prevalent issues?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Firewall vulnerability usually means that the firewall isn't blocking traffic that it's supposed to be blocking. For example, a security administrator configures his or her firewall to block any and all things Telnet-related. If the admin later examines the logs and finds that Telnet is still making it through the firewall, then this would be considered a firewall vulnerability.
Now, however, a security researcher at this year's Black Hat Europe unveiled several vulnerabilities that he found within the actual firewall operating systems. This is profound to say the least.
At their core, most firewalls are little more than Linux servers. In recent years, many firewall vendors have turned on the Web server inherent in most Linux distributions so that administrators could more intuitively manage their firewalls via a graphical user interface. Apparently, in most cases little effort was made toward securing the software that makes this feature available; researchers found that many Web-enabled firewalls are vulnerable to cross-site scripting, brute-force password attacks, command injection and privilege escalation. Furthermore, many firewalls have outdated and unpatched Linux kernels.
Organizations should be concerned about firewall vulnerabilities of this nature and immediately test for them. If a malicious user can gain administrative, or even root, access to the organization's firewall, then it is worth little more than a paperweight, as malicious root users can manipulate firewall rules to their own nefarious ends.
Numerous open source tools (many of which can be found in penetration testing tools Backtrack or Kali) are available that allow operators to scan network devices for open ports, OS versions and obvious vulnerabilities. I suggest using these immediately, especially if you can't remember the last time that your firewall's operating system was updated. One worth noting: John the Ripper is a password-cracking tool; you will need to access the shadow file to use this properly. Another tool, Nmap -- one of the most popular port scanners -- also provides some light vulnerability scanning. With this you will be able to find open ports, types of services affiliated with these ports, and what type of OS and kernel you're using.
This was first published in November 2013