Exploiting Stateful Firewalls

Dannie M. Stanley Mon, Mar 28, 2011

Firewalls attempt to provide network access control. However, we describe a vulnerability that allows an outside attacker in collaboration with a mole to access UDP and TCP services running on an internal “protected” network. The End-to-End Argument in system design states that functions which depend on applications running on the end points should be placed at the end points and not in the communication system \cite{saltzer1984end}. The access control function found in firewalls depends on “connection tracking.” Firewalls attempt to track a connection by observing network data flow using stateful packet inspection. However, IP, UDP and TCP were not designed to provide enough information for intermediate network devices to correctly and reliably track connection states. A connection state can only reliably be determined at the end hosts. By disregarding the End-to-End Argument, firewalls are vulnerable to attack.

Many deployed networks have firewalls that allow network traffic, originating from the internal network, to flow to the outside. Determining the origin of a connection requires connection tracking. When a firewall is not able to accurately track a connection, the origin of a connection can be forged and the firewall can be manipulated into adding an “established” connection between an attacker and a protected network service. We describe the principles behind connection tracking that allow this to happen and demonstrate several attacks that allow access to both UDP and TCP services including SNMP, NFS, and HTTP.


236 W. Reade Ave., Upland, IN 46989 · 765-998-5162 · cseinfo@cse.taylor.edu
Copyright © 2016 Taylor University Computer Science and Engineering