Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
4 septembre 2013 3 04 /09 /septembre /2013 15:37

For this post, we're going to get deeper into Firewall Analys, with a special focus over IPv6.


This post relies heavily on two previous posts : IPv6 Simple Security and IPv6 Statefull Firewall. Please have a look at them for basis.

 

 

Why Firewall Analysis

Where Firewall Testing just aims to check the results of a particular model / configuration ( open IP and ports, ingress/egress filtering, resistance to DoS, security features ), Firewall Analysis goal is to understand how a particular model functions, its inner functionning.


Here is an example : As most Network Routers have a Statefull Firewall, it is dubious to say if an incomming traffic has been allowed in by virtue of the inbound policy, or because a statefull permission has been created by a previous outgoing flow. Think of an ICMPv6 Echo Reply : Does it get in because an outbound Echo Request has been initiated ?
Or an inbound ICMPv6 Time Exceeded triggered by an outbound TCP with a too short TTL.


Firewall Analysis aims at discovering the inner functionning of a Firewall.
We're going to see some ways to study an IPv6 Firewall ICMPv6 functionning.

 

 

Practical Test Lab

 
We're going to trigger five types of ICMPv6 messages : ICMPv6 Echo Reply, ICMPv6 Time Exceeded ( hop limit exceeded ) created by an echo request, ICMPv6 Time Exceeded ( hop limit exceeded ) created by an outbound TCP 80 request, Destination Unreachable ( No route to destination ) created by an echo request and Destination Unreachable ( No route to destination ) created by an outbound TCP request.

Here is the setup :

S6e.gif

 

Router1 is our tested-router. PC1 will issue requests and monitor replies using Wireshark network monitor. OS router is an OS IPv6 Router, with a WIreshark network monitor and a Packet Replay software ( Ostinato ).


Please read this post for an example of turning a Windows OS into an IPv6 Router.


To trigger ICMPv6 Echo Reply, we'll just need PC1 to ping OS Router :

ping [OS Router IPv6 Lan Address ]


To trigger ICMPv6 Time Exceeded ( hop limit exceeded ), we'll have PC1 to ping OS Router with a too short TTL :

ping -i 2 [ OS Router IPv6 Lan Address ]


To trigger ICMPv6 Time Exceeded ( hop limit exceeded ) created by an outbound TCP 80 request, we'll setup PC1 hop limit to 2 :

netsh int IPv6 set int [Idx] currenthoplimit=2

and open a web browser on PC1, using the Web Server IPv6 address in the address bar. Please note two things :
. We use the IPv6 address of the web server, to bypass any DNS resolution.
. The currenthoplimit command in Windows seems volatile ( 5s ). A script is needed in Windows OS to perform the command in a 2s loop. Here is a short batch file for this :


for /L %%n in (1,1,100) do (
netsh int ipv6 set int 12 currenthop=2
timeout 2
)
@ECHO [ Press a Key to Close ]
@PAUSE

To trigger ICMPv6 Destination Unreachable ( No route to destination ) we can just plug Router 2 into our CPE, but keep the CPE unpowered. Then, we'll ping an internet IPv6 address and open a web browser on PC1, using an Internet Web Server IPv6 address in the address bar.

We'll be generating Genuine ICMPv6 Traffic from PC1, and monitor the inbound passing packets reaching back PC1 using WIreshark on PC1 :

 

S6f.gif

We'll then do it again, but record on OS Router the five ICMPv6 error messages replies while they are emmited :

 

S6g.gif

 

We'll then be able to replay these 5 error messages at will, from OS Router, without any previous Firewall State ( record ) having been created :

 

S6h.gif

 

By using Packet Replay, we can be sure we're issuing carbon-copy packets, wich are perfectly well crafted. For this we replay them using ' raw mode ' in Ostinato ( no packet dissection / analysis / crafting )

 

Finally, we can use Packet Crafting ( Ostinato packet crafter ) to try to generate all types of ICMPv6 messages that may be difficult to genuinely trigger :

 

S6a.gif

 

Although conclustions based upon messages generated by pure packet crafting have to be considered with precaution, as they may be mis-crafted. It's less reliable than raw-packet replay

 

 

Tests Results and Analysis

 

By comparing outbound genuine traffic with replay traffic, we can see what the firewall allows in by virtue of a state and what is allowed in by virtue of an inbound policy.

We can check the statefull nature of a firewall, as well as the way it treats state-related traffic ( ex : an inbound ICMP message in response of an outbound TCP request )

By using pure packet-crafting, we can wide-shower the firewall wan side, to see for passing messages types.

 

A few practical tips

 

To replay raw packets using Wireshark and Ostinato :

 

Using wireshark, export the packets :

. Edit ) Mark Packet

. File ) Export Specified Packets ....

. format : Wireshark/tcpdump/.... -libpcap ( second choice )

. packet range : Marked packets

 

Using Ostinato, import the wireshark-saved packet :

. File ) Open Streams

. uncheck intelligent import

 

Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens