[lotuseclat79]

Software Firewalls versus Wormhole Tunnels
(and VMWare -a condensation of the article)
http://www.securityfocus.com/infocus/1831

Firewall Basics

One-dimensional coverage:
Port/IP blocking, aka stealthing incoming ports

Two-dimensional coverage, i.e includes one-dimensional with added:
Active Intrusion Detection (IDS) or
Intrusion Prevention (PPS)

Three-dimensional coverage i.e. include two-dimensional with added:
Active application blocking

All that is necessary for malicious programs to bypass a firewall is for an
unfiltered incoming channel to exist. For example, libpcap can be used to
listen for inbound traffic that is supposed to be blocked. This provides
the unfiltered incoming channel, a wormhole tunnel, and with libpcap's
support for sending packets, the malicious program has a full, two-way
communications channel that completely goes underneath the firewall.

Here is what happens when VPN is added to the mix.

Most "road warriors" run a combination of firewall and VPN in order to use
resources on their home network while protecting the mobile asset. If you
have VPN, when split tunneling is disabled it ensures that all traffic is
forced through the VPN connection. If you start Ethereal and perform an
nmap scan against the local interface address (not the VPN address), the
traffic that is supposed to be blocked by both the firewall and VPN sofware
(i.e. invisible to VPN software) is available at the PCAP level.

In a VPN configuration, most personal firewalls are configured to drop
their shields (because all traffic is heading to and from a trusted
source), so the VPN client is, in fact, a liability because there is no
need to use a libpcap outbound wormhole-tunnel communications channel. The
firewall will happily ignore whatever packets a malicious program might
need and they go unfiltered through the "secure" VPN connection.

Is there a scenario to bypass a firewall without the use of libpcap? Yes!

Load a copy of VMWare to startup an emulated Linux environment on a Windows
box. Configure it so that the emulated network is in bridged mode.
With the firewall blocking, run an nmap scan against both the PC's IP
address and the emulated environment's IP address. The firewall will block
the PC scan, but the emulated environment will gladly respond back to the
probe attempt.

The emulated environment is using low-level network kernel access to
perform its functions to "bypass" the firewall.

If both scenarios two and three are combined, the setup will have a
workstation with a VPN connection (with spilt-tunnelling disabled) and also
a running VMWare client. While the VPN is engaged, the VMWare session will
have complete access to the local network. With some configuration tweaking
and some minor scripting, the VMWare client could act as a "bridge" between
the local network and the VPN target network -- something that should be
disabled when split-tunnelling is disabled.

See link above for full article and hints on protecting systems/networks

How to detect a wormhole-tunnel hack (not in article)

Execute PfomqryUI from Microsoft to scan for systems that have their NICs in promiscuous mode - since some of the wormhole-tunnel hacks will end up placing an interface in this mode.

Get PfomqryUI here.

-- Tom