My organization uses security appliances like Web gateways and firewalls because we thought they improved security,...
but now researchers at Black Hat Europe have found that such appliances are filled with vulnerabilities themselves. How concerned should enterprises be about firewall vulnerabilities, and how can we test and remediate appliances against the most prevalent issues?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Firewall vulnerability usually means that the firewall isn't blocking traffic that it's supposed to be blocking. For example, a security administrator configures his or her firewall to block any and all things Telnet-related. If the admin later examines the logs and finds that Telnet is still making it through the firewall, then this would be considered a firewall vulnerability.
Now, however, a security researcher at this year's Black Hat Europe unveiled several vulnerabilities that he found within the actual firewall operating systems. This is profound to say the least.
At their core, most firewalls are little more than Linux servers. In recent years, many firewall vendors have turned on the Web server inherent in most Linux distributions so that administrators could more intuitively manage their firewalls via a graphical user interface. Apparently, in most cases little effort was made toward securing the software that makes this feature available; researchers found that many Web-enabled firewalls are vulnerable to cross-site scripting, brute-force password attacks, command injection and privilege escalation. Furthermore, many firewalls have outdated and unpatched Linux kernels.
Organizations should be concerned about firewall vulnerabilities of this nature and immediately test for them. If a malicious user can gain administrative, or even root, access to the organization's firewall, then it is worth little more than a paperweight, as malicious root users can manipulate firewall rules to their own nefarious ends.
Numerous open source tools (many of which can be found in penetration testing tools Backtrack or Kali) are available that allow operators to scan network devices for open ports, OS versions and obvious vulnerabilities. I suggest using these immediately, especially if you can't remember the last time that your firewall's operating system was updated. One worth noting: John the Ripper is a password-cracking tool; you will need to access the shadow file to use this properly. Another tool, Nmap -- one of the most popular port scanners -- also provides some light vulnerability scanning. With this you will be able to find open ports, types of services affiliated with these ports, and what type of OS and kernel you're using.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading