April 27, 1998, Issue: 786
Section: Test Center
Denial-Of-Service Attacks Bring Down Even The Most
Secure Systems; Resellers Must Be Vigilant
In evaluating the firewalls, the CRN Test Center used multiple levels of testing to identify vulnerabilities in the network architecture or configuration of the operating system and firewall.
Internal and external attacks were launched, and the entire network was probed to determine if additional network or device information could be obtained. Finally, a set of denial-of-service attacks
was launched to see if any of the devices on the network could be brought down.
The Test Center used Internet Security Systems' SAFEsuite security assessment tools to create different test series, graphically depicted on the adjacent firewall vulnerability chart. The test
series is arranged to delineate the point of vulnerability, the point at which the firewall fails all subsequent tests. The purpose of each test series and the assessment tools used are defined
- Platform Attack: This is a series of attacks launched from the outside that tests for vulnerabilities in the operating system hosting the firewall. SAFEsuite tests included in this series are
services scan, network management system data, port scanning, banner checking, SNMP information and DNS connectivity.
- Web Attack: This is a series of attacks for Web server vulnerabilities, launched from the outside. This test series employs the same SAFEsuite assessment tools used in the platform
- Outside Probe: The network is probed from the outside for any additional network or device information, such as routing, SNMP and internal interface information.
- Inside Probe: This test series examines the network from the inside, looking for vulnerabilities in the firewall. The SAFEsuite tests used for this series include services scan and
external penetration, which attempts to connect to machines on the external side of proxy servers and services.
- Firewall Denial of Service: This is series of denial-of-service attacks on the firewall. SAFEsuite tests used include UDP Bomb and Flood, Finger Bomb, Ping Bomb, Out Of Band, Teardrop,
Inetd, Echo and Chargen, DNS, SYN Storm, Data Flood, Open/Close and ICMP Redirects.
- Web Denial of Service: The Web server is subjected to an onslaught of denial-of-service attacks to see how well the firewall protects the Web server. This test series employs the same
SAFEsuite assessment tools used in the firewall denial-of-service attack.
Check Point, Digital, Raptor and Secure Computing were the best at thwarting attacks and probes. Of the four, Check Point and Raptor were a cut above the rest, with their extreme robustness
allowing them to endure heavy denial-of-service attacks. These two products repelled the very latest attack methods and generally are the first products to offer patches for new problems.
Digital and Secure Computing had some DNS and FTP issues that, while not specifically considered security holes, create footholds for hackers. For example, AltaVista's DNS service allows zone
transfers and inverse lookups, permitting hackers to "see" more of a network than they should.
Secure Computing overwrites its log when it gets full, so hackers can hide their tracks by continuing to send enough information after they are done hacking to cover up log evidence.
Internet Dynamics could handle a denial-of-service attack made on the firewall but not the Web server. Standard denial-of-service attacks were able to bring down the system, and the default
configuration allowed FTP and HTTP traffic through to the other side of the firewall.
Designed more as a proxy server than a firewall, Computer Software Manufaktur (CSM) did not provide enough security and lockdown, and it offered little guidance for the administrator in how to
make it secure.
Microsoft's Proxy Server did a great job, except for denial-of-service attacks on itself and the Web server. Denial-of-service attacks were successful on Proxy Server largely because the firewall
could not handle the volume of data thrown at it using standard attack techniques.
Guardian allowed engineers and the visiting reseller to see specific information that should not have been revealed, such as more services than those enabled by the firewall software. Guardian's
protection from the inside was the weakest, trusting inside users a bit too much.
Network-1 was able to stop platform attacks, but inside and outside services were revealed to engineers when the firewall was subjected to advanced stealth scanning techniques.
Failing the platform attack means that the vendor made no attempt to harden, or secure, the operating system. The CRN Test Center considers this to be a serious flaw.
To make matters worse, CSM, the only vendor to fail this test, offered little guidance during the installation process and the documentation had little advice on operating-system hardening.
None of the firewalls tested were able to survive the onslaught of a denial-of-service attack. This is why constant monitoring is of the utmost importance.