One of the first things that someone who wants to have a go at attacking your network from the outside will do is try to identify the make and model of your firewall. There’s so much information available nowadays about product and code-specific vulnerabilities - mostly published by the manufacturers themselves and also circulated round hacker websites. So, in the cause of not making their life any easier, here are some of the common techniques they might try and your defences against them.
It’s distressing how often it’s the obvious, simple things that aren’t changed, because nobody thinks it would actually make a difference. If someone tries to connect to your firewall, even if there’s no chance of them being able to log in, what’s the format of the welcome banner they’re going to see?
It should not advertise your company name — that’s just too much good information to give away. Apart from anything else, a couple of phone calls may let them find out the brand of firewall you deploy. If it returns a qualified hostname, that’s going to help them too. Many systems return standard messages specific to that product type, and often including the version of code running on the device too. Get rid of all of that. It’s information you can get another way if you need it, and you shouldn’t be giving potential intruders this sort of helping hand.
Do state in your banner that unauthorised access is an offence - you may need help from your legal department here - if you ever think you may have to bring any criminal proceedings against anyone.
Port scanning (see defending yourself against port scanners ) is a very common first step reconnaissance technique and it’s useful for identifying firewalls too. Some firewalls have a signature set of ports they listen on, so by finding them someone can make a pretty good guess at the model of firewall they’re up against. Your IDS might pick these scans up—but since many IDS’s are installed only inside the firewall, then again, they might not. So you should block traffic to these ports from reaching your firewall, by filtering them out on your Internet router. Be aware though that this may have implications for your ability to carry out remote management.
One of the other most popular methods to gather information is traceroute. It’s not too difficult for someone to pick out the routers and firewalls using this. If you’ve configured your firewall not to respond to packets with a TTL of one, that’s great, but you really need to set all your routers up to do the same, to stop any information being returned from as far out towards the outside world as possible.
More advanced settings
Stopping these most popular probes will put off the casual or less skilled attacker, but for the more determined intruder, there are other things they will try.
ICMP can be very useful in troubleshooting because of the different error codes it returns, such as host unreachable, network unreachable etc. But intruders can also use this facility. There’s a specific error code, ICMP type 13, that indicates the packet has been administratively prohibited, i.e. filtered. By finding out which ports have been deliberately blocked, and where in a path, a map can be built up of packet filtering routers and firewalls and how they have been set up. To prevent passing out this information, the easiest method is just to prevent ICMP type 13 packets from being allowed from your environment back out to the Internet.
And then of course there are your access lists. Once an intruder has figured out what type of firewall you’re running, he’ll know how these are constructed and will try for the common lapses in configuration. If you need to allow access to specific ports on your network from certain third party devices, say, make sure you specify the address ranges, rather than just leaving the port open to anyone. Your attacker will have no trouble finding any open ports using the likes of nmap, so make sure you pin down source and destination addresses.
A determined attacker will probably find a way into your network with enough time and effort. However, many casual troublemakers will be put off pretty easily and go looking for someone else to bother. A few simple changes might make the difference between whether it’s your network or someone else’s that’s targeted.