A long time ago in a galaxy far, far away… lived an odd, nerd boy who has spent most of his time playing immersive virtual multiplayer games geared in his entry-lever cheap suite. One day he was challenged to get into the fortress called a “Wall of Fire”, a place were many noble and powerful warriors failed. Nerd-boy was neither of the two but he was resistant to failure and tried to get into the fortress so many times that he developed his own strategy. The fortress had huge impenetrable walls enchanted with “Eternal Flame”, a level 90 spell, killing everyone in a blink of an eye. Going over it was impossible so as under. The only chance to get into the fortress was through the gates. There were many of them but only two were always opened. One gate allowed NPC (non-player character) merchants to deliver livestock to “Port 80”, the second was reserved for royal guard near “Port 443”. Many players developed a technique called “Horse-skin masquerade” to enter the fortress disguised as a… horse. It required only small preparation and a Ring of Animal Disguise, a level 5 item. This technique was used for two decades in-game years but lately, developers added a patch that gives the Guardians a “Real Vision”, a skill that shows the true nature of every living and non-living object. Sadly now every disguised player is instantly slaughtered no matter if he tries to be a wolf, ship or horse.
That was a big problem for all gamers trying to hack into the “Wall”. But that was about to finish as our nerd-boy was the first to find his way into the castle without being killed by the enemy guards at port number 80. In fact, he chose a different path. More obscured one. More deadly cause guarded by the Royal Army with enemies everywhere. He traveled to a nearby location called “User-friendly city”, a place where everyone is invited and located the Mayor’s office. Once a week every mayor in the realm was urged to send a report together with tax inside a big iron padded box transported end-to-end by the Royal Army SSL, which stands for Super Secure League, a trusted personal squad of an emperor. Their mission was to deliver the goods directly to the Ministry of Finance. Their trustfulness was undoubtful. They promised to never check what’s in the box, so once the box was sealed it was opened only by the minister itself.
The plan was simple. Get into the mayor’s office. Locate a box. Get into the box before it’s sealed using Invisibility Clock and stay there as long as it takes to get into the Ministry of Finance. Then hope that the minister is not a level 70 wizard and get yourself out of the box without being spotted by the guards. Ninja style. As simple as that our nerd-boy took his chance, jumped into the big box, covered himself with papers and coins. Then waited. A few minutes later someone opened the box, added some more papers and coins and sealed the package without spotting the unwanted content. The first part of the job was done. As expected the SSL squad came and took care of the precious delivery. They have put the box on the cargo vessel and delivered it directly to the gold facade building called a Ministry of Finance. 300 steps and 4 doors later they left the box inside a giant chamber with the old minister and two low-level guardians alone. They were all dead as soon as the box was open. His name was Dec3P5teve_2k9.
Well if you’re a security engineer, pentester, hacker or security enthusiast you’ve probably spotted some “hidden” messages in this short fantasy story. If not, you want to read the rest of the article. Before I start explaining forgive me for my rather weak novel writing skills. In fact, I am an engineer, not Andrzej Sapkowski.
Let’s start with the “Wall of Fire” fortress which is, of course, a firewall, device created in early 90′ to protect against rising cybernetic threats and it was good for its times. The firewall objective was to block or allow network communications between different applications based on their ports. For example, a default port for HTTP is 80, HTTPS 443 and FTP 21 and 20.
For over 20 years port-based firewalls were protecting the company’s fortresses against unauthorized access to their networks. Most of the Fortune 500 companies still have this type of firewall somewhere in the network. Maybe not on the Internet edge but they definitely use a lot of them inside their local networks. The problem is that times have changed and nowadays internet is nothing like in the mid 90′ so as the threats.
Threat Analysis – The Horse
In my story firewall is described as a great wall of fire, “cooking” everything, except livestock entering on port 80 and private messages on port 443. That means whatever else port you would’ve tried you gonna be killed or at least blocked 🙂 But not only port is being checked as not every wanderer is welcomed. At every gate, guards are checking who is entering – in other words, what is the source IP and what is the destination IP – where the package needs to be delivered. This procedure is known as firewall filtering and was very effective for many years. Look at the picture below to view how everything else except traffic to port 80 is blocked.
In the example above source “10.3.2.5” is our merchant arriving at the gates together with a horse he wants to sell on the market – destination “18.104.22.168”. The horse, in fact, is a simple HTTP website working over port 80.
So how players technique to disguise themself as the horse works in a real-life? Well, it’s pretty easy to understand when you know that port is not equal to the application being used. Port 80 is the default for web browsing over HTTP but what if we will change the application to SSH (an application allowing encrypted remote terminal access). We can disguise ourselves as a horse. From the port-based firewall perspective, it’s the same. –Welcome traveler. Enjoy your stay in the town. – said guard with a glimpse of a smile.
In the past, port-based firewall filtering was enough to stop most of the threats cause the nature of the application was pretty straightforward. When we were chatting using online communicators like IRC we could have expected traffic over ports 6665 – 6669, FTP (File Transfer Protocol) sticks to ports 21 and 20, Telnet, the ancestor of SSH is using port 23, etc. As you can see the pattern applications were developed in such a way that you can easily determine the purpose of the application based on the port it’s using. The situation has changed dramatically in early 2000 together with the rise of web-based applications and social media. More and more software was build to run in a web browser. A tool that was once considered only as a World Wide Web reader working over port 80. When you will check how the websites were looking in early 2000′ you’ll understand what I’m talking about. That was a facebook(dot)com page in August 2004 before Mark Zuckerberg acquired the domain.
Nowadays everything works in a web browser – Skype, Chat, Excel, Word, Outlook, etc. That means web browsers like Edge, Chrome, Safari or Firefox are no longer simple page readers but rather full operating systems capable of running different software. How much was our life simplified by this fact? Right now you don’t need to install software on every device to edit text or draw a picture and have access to files. You can simply log in to the website you like and do everything there. But guess what? Web browser still works mainly on port 80 and 443 (HTTPS – a secured version of HTTP protocol). That means when you allow port 80 and 443 on your firewall you basically accept everything the internet gives us. Good or bad.
The answer to this threat was an application firewall or how we were taught by the market to call it, a next-gen firewall. A software capable of recognizing and understanding application up to the user’s keyboard. Well almost. To be honest I’ve simplified a lot by going directly from port-based to application-based firewalls and forgetting about years of organic growth and improvements, which allowed many companies to stay secured all over the way from the year 2000 to 2020. I’ve omitted proxy servers, IPS (Intrusion Prevention Systems), anti-malware, anti-virus, anti-everything but I’ve done this purposefully cause I want to focus now only on the firewalls. Bread and butter of network security since the rise of the Internet.
For many years firewall industry leaders were improving their solutions by adding other pieces of the puzzle, allowing their devices to understand a little bit more of the application running over the port. Some of them implemented, what is now called an ALG (Application Layer Gateway) or in other words a higher protocol awareness which was based on pre-defined signatures. Those signatures gave the firewall an ability to recognize applications not solely on their port but also on the way they behave in the network. This was a very simple but limited approach and only a few applications and protocols were supported.
That was the case till 2007 when Palo Alto Networks introduced their first next-generation firewall and changed the game. They took everything that we knew from the classic firewall approach, like source and destination filtering but removed the port from the equation. Instead, they’ve built a huge, online application database and allowed security engineers to filter the traffic based on the application itself rather than the default port on which application operates. It’s always more like evolution than a revolution in network security but in 12 years the whole industry has adapted to this new approach and I personally think the best years are still to come as this technology is still growing.
So how this technique was adapted in my story? By teaching the guards a new skill called Real Vision. In fact, they were presented with a book or better say a knowledge base with diagrams how for example a horse looks like and how can you spot a fake one. With this new power, guards were instantly able to spot a disguised player and reject him before letting inside the fortress. That’s how next-gen firewall works. Compare the application to the database signatures and detect application type.
Let’s try to open SSH session one more time but this time with application filter allowing only web-browsing traffic. As you can expect the connection is being dropped and we receive a connection timed out.
We can still see the port on which the traffic is initiated but now we identify also an application. SSH is not web-browsing so as a result, the connection is denied. Not a horse you are. – said a gatekeeper reaching for his sword. It was not an easy day for player 8008135 as the blade fell on his head, full speed.
The last major part of the puzzle is a Secure Shell Inspection or SSL Decryption. The last 5 years of internet development was a huge increase in the amount of encrypted traffic. Issues around the privacy and a better understanding of the whole spectrum of Internet threats moved the companies and end-users towards using a versatile form of encryption. Whether it’s a VPN tunnel, or simply a banking website using HTTPS (green padlock as we call it), more and more traffic is being encrypted. The rough estimations show that possibly over 80% of the whole internet traffic in the USA is being encrypted in some form. Imagine that you run a business and you don’t have control over 80% of your internet data. That’s a big problem for today’s companies and a nightmare for security operators. In the picture below you can see how much traffic was encrypted in just a few hours after turning on the firewall in front of my PC. Yep, that’s a lot of encrypted data and the worst thing is we don’t know what was there. Malware, ransomware or a virus? We have no idea and it’s already in our network. Delivered. Undetected.
Threat Analysis – The Iron Chest
Here we reached the point where we discuss what happened in the mayor’s office and which trick was used by Dec3P5teve_2k9. We know that he traveled to a not so well protected location called “User-friendly city”. To translate this to security language we can say that instead of trying to breach through the firewall our hacker decided to find a weak spot somewhere else. It can be a user who was tricked to click a malicious link or a laptop hacked when someone was using it in a public network. It can be even a valid website that was taken down by a group of hackers and now all users are being targetted. You can’t predict all the attack vectors and as long as you don’t inspect the SSL traffic you will be in danger. Steve hid in the big Iron Chest which when sealed is then open only by the recipient. That means no one or nothing in between can check what’s in the box. Iron Chest is a metaphor of SSL encryption, a procedure where the user application encrypts the data payload before sending it to the server. Only a server which is a recipient of this traffic can decrypt the data and read the message. But what if the message is dangerous or deadly?
In my story, Steve has successfully breached the defenses of the fortress and got what he wanted, access to the Ministry of Finance and potentially even to the vault. Let’s imagine that Steve hid a virus somewhere on the website we are browsing. We trust websites we know and Steve knows that as well. He hid his trojan-horse on such a website and he’s waiting until file containing the virus will be downloaded by the user. It’s only a matter of time when the Secretary of the Minister of Finance downloads this file. She was targetted for months and Steve knows all of her browsing habits. To unveil his method we will go to the website eicar(dot)org. Eicar stands for European Institute for Computer Antivirus Research and it allows users to test their security by downloading non-active malware files. By non-active, I mean not harmful to user’s PC. First, we will try to download this file using HTTP, so using a clear-text, not encrypted web browsing connection.
As expected our firewall has blocked the malicious file. We can see this in the logs. Source “10.3.2.5” when visiting the site “22.214.171.124” (eicar.org) has tried to download a file but it was recognized as a threat and further diagnosed to be in fact a virus called “Eicar Test File”. The connection was reset.
But what happens when we browse the same webpage using a HTTPS connection? As you can guess adding end-to-end encryption will prevent firewall from scanning the payload and will let the user download the file. At this point, only an endpoint anti-virus solution can spot malicious files and stop the download. Our firewall was deceived.
Exactly this technique was used by Steve to enter the “Wall of Fire”. If we want to stop him we can’t trust that the content of the encrypted communications is always good and we need to decrypt the traffic on the way. What you have there sergeant? – asked the city guard looking at a big iron chest carried by two royal army servants.
It’s not your problem gatekeeper. – said a man on the horse in front of the group.- It is my problem! Since today by the emperor’s order, I must check every container passing through the gates. Here is the official decree. That was the moment when Steve realized that he’s doomed.
SSL inspection is a must in nowadays networks but it is hard to implement and many websites simply can’t be decrypted. Especially banking and health industry is protected by the law and SSL decryption shouldn’t be enabled for such websites. Decryption is also a very resource-heavy process and it must be optimized for performance otherways users will experience slowness and many other problems. SSL inspection should always be implemented by an experienced and certified engineer who understands both business and security conditions. That being said let’s see how decryption works in real life.
Simply browsing to the website is now being recognized not only as an SSL session but also as a web-browsing which means that inspection is already on. Trying to download an eicar file ends up with a response page. We are safe again.
At the end look how our application spectrum has changed 15 minutes after enabling SSL inspection. More visibility means more control and that always means more security.
I hope that this article helped you better understand how firewalls are evolving and what types of threats and challenges are still on the horizon. Next-gen firewalls are not the ultimate answer for all security problems but they are a must in a modern company that can’t allow data theft, ransomware, virus outbreak or any other type of attack which can cause production line to stop or clients to be compromised. The industry leaders in the security field are alarming that the year 2020 will be a year of the cybernetic crime. Not only Forbes 500 companies will be the target but also small and medium businesses as they are the most vulnerable right now. This means everyone needs to focus on security as never before. Don’t wait until you lose all your important data together will all customers, you can’t afford that.