This week, a security researcher posted a blog about the security implications of how next-generation firewalls handle TCP session setups. SC Magazine also published an article that included similar technical claims provided by the security researcher. We’d like to take the opportunity to clarify the content of these articles for our customers and the industry, because both of these writings included some inaccurate claims that may sound concerning.
One claim from the researcher is that next-generation firewalls “…are designed to permit full TCP handshake regardless of the packet destination … bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions” (emphasis in the original).
This claim, as written in the blog and SC Magazine article, is false. Firewall policy is never violated. Before even a SYN is allowed through, the firewall rule base is evaluated to check if a TCP setup should be allowed at all.
After some conversation with the researcher, it appears the actual concern is that if an administrator creates a typical web browsing policy on a next-generation firewall, this allows a SYN (and in fact a complete 3-way handshake) from allowed web clients out to the internet on the standard HTTP service (tcp/80). This is true of any firewall, and anything that does otherwise is a proxy—and only if that proxy happens to already know the host is malicious.
To put this in context, it is helpful to remember that this technique is not new. Information hiding in TCP/IP is nearly as old as the stack itself (see references). This is essentially a covert channel, and as with any covert channel, it requires the adversary to already have control over both ends of the connection. This is simply one example, and in general, covert channels are limited only by the creativity and patience of the adversary. For example, data can simply be carried over normal HTTP payloads to a recently compromised WordPress site (this actually happens every day). Far simpler and more efficient, without bothering with TCP trickery—and nothing about the act of proxying does anything to stop this.
That is why it is important to focus on prevention, a key tenet of the Palo Alto Networks next-generation security platform. The layers of security provided by App-ID, Content-ID, WildFire, Traps, and the complete combination of Palo Alto Networks platform security capabilities are important in denying the adversary access to the network and endpoints at every stage in the attack lifecycle. The game of endless incident response, covert signaling, steganography, and inventorying data lost after a breach is unwinnable.
Palo Alto Networks customers are encouraged to reach out to customer support for any additional questions about this topic or any product security matter.
-- Palo Alto Networks product security team
The original researcher blog post is available at: http://www.bugsec.com/news/firestorm/
The SC Magazine article is available at: http://www.scmagazine.com/firestorm-vulnerability-in-firewalls-let-attackers-extract-data-from-cc-servers/article/458817/
T. Handel and M.Sandford., “Hiding data in the OSI network model,” (Cambridge, U.K.), First International Workshop on Information Hiding, May-June 1996. Retrieved from: http://chemistry47.com/PDFs/OSI%20Model/Hiding%20Data%20in%20the%20OSI%20Network%20Model.pdf