Wednesday, January 13, 2016

Using firewall backdoors to rekindle defense in depth discussions

If you haven't been under a rock for the last month of so, you know about the Juniper backdoor that was built into many of their firewall products.  At this stage, it is pretty clear that the backdoor was planted maliciously.  I've already written about the Juniper backdoor here and here and my official opinion is that despite a lot of speculation, at least the backdoor password wasn't the work of NSA.  Despite that, Juniper has dropped Dual_EC_DRBG encryption from its products (probably a wise idea).
Fortinet Fortigate Firewall
Last week, we learned that another firewall manufacturer, Fortinet, discovered a backdoor in their code and patched it.  Working exploit code was published to the Full Disclosure mailing list here.

According to Fortinet's blog, the backdoor password was backdoor at all, but rather was an "management authentication issue."

Only older versions for the Fortigate Firewalls
The Fortinet marketing team must be winning some kind of award for spinning a yarn like that.  It's akin to Caesar's Palace telling me that my room keys were intentionally demagnetized to prevent unauthorized access to my room*.  Fortinet says that the "management authentication issue" code was not maliciously placed.
*As you probably know, I travel a lot. I sleep in a hotel bed at least twice as often as my own. Caesar's Palace has hands down the worst key system of any hotel I stay in.

Whether you believe Fortinet about malicious placement of the code or whether you think it was NSA that hacked Juniper, the recently discovered firewall vulnerabilities should be a reason for pause.  As infosec professionals we should be using these vulnerabilities to rekindle the discussion about defense in depth for our networks.

Most networks that we evaluate at Rendition Infosec resemble a piece of candy.  They have a hard crunchy outside and a soft gooey inside.  Once attackers breach the perimeter, they often move around the network with impunity.  Defense in depth is about more than running antivirus and having a perimeter firewall.  In fact, nobody has called that the standard for defense in depth in the last decade.

We need to evaluate what would happen if an attacker can bypass the firewall at will - or worse yet control it.  Because that's exactly what successful use of the backdoor passwords would do.  Either would allow the attacker a privileged place in the network, sitting on the very device that is supposed to protect the network.

Is your network one backdoor away from total compromise?
Can your network really survive this sort of attack?  Could you detect an attacker moving laterally from the firewall itself?  Is your network instrumented to even detect this sort of attack?  In most networks I've evaluated, the answer is unfortunately no.  However, it shouldn't be.  Especially in the wake of increasingly stiff regulatory fines for data breaches, organizations should be asking themselves how they can detect and prevent attacks that involve compromised edge devices such as firewalls, routers, and even VPN concentrators.  Failing to be able to detect these attacks probably won't save the organization from a lawsuit or regulatory fine after a data breach.

My recommendation is that organizations begin conducting sand table exercises to ensure that they understand how they will respond to various incidents.  Sand table exercises help uncover systematic weaknesses in a network before they are exploited.  After all, if your defenses are broken on paper, you're not ready for a penetration test.   If you need help building and conducting sand table exercises, give me a shout.  I've built and executed many sand table exercises for small and large organizations alike.  We have several configured to discuss compromises of perimeter devices and get your organization thinking about its defense in depth strategy.

1 comment:

  1. I've used Kaspersky protection for many years now, and I'd recommend this product to everybody.


Note: Only a member of this blog may post a comment.