Exploiting the firewall beachhead: A history of backdoors into critical infrastructure
There is no network security technology more ubiquitous than the firewall. With nearly three decades of deployment history and a growing myriad of corporate and industrial compliance policies mandating its use, no matter how irrelevant you may think a firewall is in preventing today’s spectrum of cyber threats, any breached corporation found without the technology can expect to be hung, drawn, and quartered by both shareholders and industry experts alike.
With the majority of north-south network traffic crossing ports associated with HTTP and SSL, corporate firewalls are typically relegated to noise suppression – filtering or dropping network services and protocols that are not useful or required for business operations.
From a hacker’s perspective, with most targeted systems providing HTTP or HTTPS services, firewalls have rarely been a hindrance to breaching a network and siphoning data.
What many people fail to realise is that the firewall is itself a target of particular interest – especially to sophisticated adversaries. Sitting at the very edge of the network and rarely configured or monitored for active compromise, the firewall represents a safe and valuable beachhead for persistent and targeted attacks.
The prospect of gaining a persistent backdoor to a device through which all network traffic passes is of insurmountable value to an adversary – especially to foreign intelligence agencies. Just as all World War I combatant sides sent intelligence teams into the trenches to find enemy telegraph lines and splice-in eavesdropping equipment, or the tunnels that were constructed under the Berlin Wall in the early 1950s to enable U.K. and U.S. spy agencies to physically tap East German phone lines, today’s communications traverse the Internet, making the firewall a critical junction for interception and eavesdropping.
The physical firewall has long been a target for compromise, particularly for embedded backdoors. Two decades ago, the U.S. Army sent a memo warning of backdoors uncovered in the Checkpoint firewall product by the NSA with advice to remove it from all DoD networks. In 2012, a backdoor was placed in the Fortinet firewalls and products running their FortiOS operating system. That same year, the Chinese network appliance vendor Huawei was banned from all U.S. critical infrastructure by the federal government after numerous backdoors were uncovered. And most recently, Juniper alerted customers to the presence of unauthorised code and backdoors in some of its firewall products – dating back to 2012.
State-sponsored adversaries, when unable to backdoor a vendor’s firewall through the front-door, are unfortunately associated with paying for weaknesses and flaws to be introduced – making it easier to exploit at a later date. For example, it is largely reported that the U.S. government paid OpenBSD developers to backdoor their IPsec networking stack in 2001, and in 2004, $10 million was reportedly paid to RSA by the NSA to ensure that the flawed Dual_EC_DRBG pseudo-random number-generating algorithm be the default for its BSAFE cryptographic toolkit.
If those vectors were not enough, as has been shown through the Snowden revelations in 2013 and the Shadow Brokers data drop of 2016, government agencies have a continuous history of exploiting vulnerabilities and developing backdoor toolkits that specifically target firewall products from the major international infrastructure vendors. For example, the 2008 NSA Tailored Access Operations (TAO) catalogue provides details of the available tools for taking control of Cisco PIX and ASA firewalls, Juniper NetScreen or SSG 500 series firewalls, and Huawei Eudemon firewalls.
Last but not least, we should not forget the inclusion of backdoors designed to aid law enforcement – such as “lawful intercept” functions – which, unfortunately, may be controlled by an attacker, as was the case in the Greek wire-tapping case of 2004-2005 that saw a national carrier’s interception capabilities taken over by an unauthorised technical adversary.
As you can see, there is a long history of backdoors and threats that specifically target the firewall technologies the world deploys as the first-pass for security to all corporate networks. So is it any surprise that as our defense-in-depth strategy gets stronger, and newer technologies maintain a closer eye on the threats that operate within all corporate networks, that the firewall becomes an even more valuable and softer target for compromise?
Firewalls are notoriously difficult to protect. We hope that they blunt the attacks from all attackers with the (obviously false) expectation that they themselves are not vulnerable to compromise. Now, as we increasingly move into the cloud, we are arguably more exposed than ever to backdoors and exploitation of vulnerable firewall technologies.
Whether tasked with protecting the perimeter or operations within the cloud, organisations need increased vigilance when monitoring their firewalls for compromise and backdoors. As a security professional, you should ensure you have a defensible answer for “How would you detect the operation of a backdoor within your firewall?”