why penetration test? firewall is not secure enough?

Tuesday, December 9th, 2008

A few days ago someone visited our website after searching in Google “why penetration test? firewall is not secure enough?“. We are going to dedicate this post just to that topic.

A firewall is a device connected to two different networks and with a number of rules which determine what traffic goes from one network to the other and vice versa. That simple. For example, a recommended configuration for a firewall protecting a web server is to filter all inbound and outbound network traffic by default, allowing only inbound traffic to your web server port (TCP/80).

Firewall protecting web server at the network layer

No doubts this is a good configuration which will protect the web server from many attacks. The firewall will filter network access to many services, but the question is “why penetration test? firewall is not secure enough?”. Well, the answer is “no”, with just a firewall the above environment is not secure enough. A firewall is always going to allow some traffic, otherwise it would be better removing the firewall and having both networks disconnected.

In the configuration above the firewall allows connectivity to the web server, therefore an attacker targeting the website will have full network access to it. The firewall will do very little to protect the web application.

So back to the question, “why penetration testing?”. Penetration testing is a method of assessing the security of a system or network by emulating a real attack scenario whereby a security consultant assumes the role of a motivated but non destructive ‘hacker’. In the scenario above a penetration test will highlight any misconfiguration on the firewall and, what it’s more important in this case, will identify any vulnerability affecting your website which could be exploited by remote attackers.

In summary, a firewall is a great security tool which can protect your infrastructure from some threats, but they certainly can not protect you from everything. Additially, penetration testing can be beneficial to assure that your systems and applications are secure.

Tags: firewall, penetration test, Penetration Testing, web server security
Posted in Penetration Testing | No Comments »

Penetration testing, antivirus, firewalls and false sense of security

Sunday, November 9th, 2008

False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.

Security professionals are used to hear all kind of comments from clients caught up by false sense of security; the three most common mistakes are:

Client - My application must be secure, it is running over SSL.
Penetration tester - That’s good, your IDS will not pick up my attacks.

Client - My web application must be secure, it is protected by my firewall.
Penetration tester - Sure enough your firewall is not going to filter web traffic on your web server.

Client - My server must be secure, it has an antivirus up to date.
Penetration tester - Your antivirus will only pick up known signatures, it will not pick up my custom made scripts.

We recently performed a back box web application peneration test for a client who expresed (before the penetration test) how secure his application was as he deployed SSL on the application layer, antivirus on the server and everything was protected using a firewall.

During the penetration test we managed to find a page which allowed uploading arbitrary files to the web server. When we tried to upload some of the standard web shells we saw how the antivirus was detecting them and removing them from the server. It is fair to say that an antivirus in this case provides a very thin layer of security. After doing some modifications to the scripts we easily bypassed the antivirus protection.

In this example achieving command execution required another step as the user the web server was running as had not enough privileges. However, it was easy enough finding a high privilege username/password for the MS SQL database also running on the server. The next steps were:

- Creating a custom script which connected to the MS SQL database using a high privileged account.
- Enabling xp_cmdshell stored procedures, as we found it disabled.
- Enjoying command execution.

Once we got to this point it was easy to execute Metasploit Meterpreter to bypass firewall protection, tunneling services over HTTP.

In conclusion, SSL, antivirus and firewalls are essential parts on the security of an infrastructure, however they need to be properly implemented and they don’t protect from all kinds of attacks.

Tags: antivirus, antivirus bypass, black box, false sense of security, firewall, firewall bypass, metasploit, meterpreter, Penetration Testing, web application penetration test
Posted in Penetration Testing | No Comments »