NETGEAR-FVX538 - Fabrizio Celli
Contents
1. NETGEAR FVX538 Relation Fabrizio Celli Fabio Papacchini Andrea Gozzi 2008 Abstract Urali ii 2 Chaptert INFOGUCIO EE 4 CHIPIEF2 ii 6 2 1 LAN Configuration ME 6 ALL PURSE OCT Iie ie Dosaggi 6 2 1 2 Second experiment MAC filter c ccccsesscsosssscrssssuescoussecuenssscncusssensoussestonsuseneussscneusssessoussesuenssss 7 2 1 3 Third experiment Vtt e E e dei EE 7 2 1 4 Fourth experiment switch INFINITIVE LOOP 8 CHIPEeF3 Ee ee 9 Salt WAN CONDUTA ON EE 9 SLL APE UER nE AE EEE E ET 11 Dal OME RR ROIO 11 CPIE AEN PN ai 12 di VPN GO TANO E 12 ALL SANNE VPN Star E 14 Summary Firewall Router Ids Ips Content Filtering ISO OSI level of work Antivirus Anti Spyware Wireless Dmz hardware port Dmz policy configuration memory DRAM PU speed Lan to Wan throughput Real throughput VPN IPSec throughput Load balancing Classical routing mode Static IP assignment Remote logging ves ves ves yes police e need daily updates in this forum you need to register your product business policy NETGEAR s policy aims to equip all models with the same security features What changes is the computing power and the data processing ability internal spanning tree no in fact a simple loop on the switch causes a crash external port scan firewall logs external port scans but it doesn t block them We obtained a list of all open ports on WAN interface Tor usage block or log2. 4 112 exchange but all the conversation is ciphered so an attacker can only try the cipher text only attack Dos attack from LAN MitM from LAN Switch infinitive loop MAC filtering DMZ policies TOR Dos attack from WAN Port Scan from LAN and WAN VPN configuration VPN traffic measurement VPN sniffing startup VPN sniffing communication Chapter 1 Introduction ProSafe Dual WAN VPN Firewall FVX538 offers a complete security solution for small and medium sized companies This stateful packet inspection SPI firewall is equipped with support for up to 200 security associations VPN tunnels The FVX538 can serve as a DHCP server supports Simple Network Management Protocol SNMP Quality of Service QoS and has a powerful SPI firewall to protect PCs against intruders and most common Internet attacks Featuring eight 10 100 Mbps LAN ports one Gigabit LAN port and two 10 100 WAN ports the VPN Firewall FVX538 lets multiple computers share two Internet connections The dual WAN ports let you connect a second Internet line as a backup to insure that you re never disconnected One LAN port can be dedicated as a hardware DMZ port for safely providing services to the Internet without compromising security on your LAN Specification As mentioned VPN Firewall FVX538 is equipped with eight 10 100 Mbps LAN ports a Gigabit LAN port and a designated port to be dedicated to configure a DMZ In addition there are two WAN ports
3. Start IP Address 192 fies i__ o_ Start IP Address fo Io JK de End IP Address fo lo jpo ib End IP Address Subnet Mask Subnet Mask ng nb Ju 5 Manual Policy Parameters SPI Incoming Hex 3 8 Chars SPI Outgoing Hex 3 8 Chars Encryption Algorithm 3DES Integrity Algorithm Key Inf S Key In Key Out OoOO OO Key Out DES 8 Char amp 3DES 24 Char MD5 16 Char amp SHA 1 20 Char 3 Auto Policy Parameters SA Lifetime 36500 Encryption Algorithm Integrity Algorithm PFS Key Group Select IKE Policy 3 General Do you want to use Mode Config Record i eme gi Policy name fem Direction Type Exchange Mode ii Remote 2 Select Mode Config Record Select Local Gateway WAN1 WAN2 Identifier Type FODN Identifier Identifier Type Identifier ii IKE SA Parameters Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key RSA Signature Pre shared key Key Length 8 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection Yes No Detection Period 10 Seconds Reconnect after failure count ER ii Extended Authentication XAUTH Configuration Authentication Type User Database Username Password None Edge Device IPSec Host 4 1 1 Sniffing VPN startup Our VPN has been built over IPSec The encryption algorithm used is 3DES and the authentication me
4. kbserver netgear com kb web files customer service main htm it is possible to request information about some product or some feature to competent staff The forum http forum1 netgear com index php allows users to exchange information and opinions about products and works as a community to allow anyone to learn new things by public discussions Products Comparison It s easy to guess that NETGEAR s policy aim to equip its four models of Wired VPN Firewalls with the same security features What changes is the computing power and the data processing ability We can see that all the four models provide SPI functionality to prevent DoS attacks NAT PAT QoS DMZ VPN Ipsec Logging SYSLOG but for example VPN Firewall FVS318 offers the possibility to configure eight VPN dedicated tunnels while the FVX538 even 200 However the differences are especially in terms of performance we can see a strong difference in throughput memory processor etc Chapter 2 LAN 2 1 LAN Configuration As we have said in the introduction this firewall considers a LAN as trusted So we tried to realize some attacks to verify this assertion We configured the LAN as follow A d 1 bech d ms f 192 168 1 4 192 168 1 2 192 168 1 3 Ubuntu 8 04 Windows Vista Vista Ubuntu 9654 99 IP addresses has been configured as static IPs 2 1 1 First experiment DoS attack 192 168 1 4 started to send a continuous flow of large pac
5. its products AA A J Firmware Update and Product Registration Because Prosafe VPN Firewall FVX538 is not an IDS or an IPS instrument there isn t the need to frequently update the database of attacks So NETGEAR offers the opportunity to update only the product s firmware with variable frequency sometimes a month sometimes two These updates can be downloaded from the site without the need of the registration of the product that is not necessary to obtain this kind of benefits it allows only phone support and facilities on the other NETGEAR products on the market Support Page http kbserver netgear com products FVX538v2 as For each NETGEAR product exists a support page that can be useful to the users for various reasons It contains the links to the new released firmware versions in which are described the bugs fixed by each version and those known but not yet resolved and there is the possibility to download them There are also different examples of configuration for the firewall for example to configure a VPN to use the Multi NAT feature or the port forwarding so everything that a not expert user may need and it is described also the procedure to execute in case of updating firmware failure There are also available all the product s documents like the user manual the installation guide etc Forum e Customer Service Finally an online Customer Care and a discussion forum are available By the Customer Care http
6. PRIMARY DNS 200 34 11 101 am im DMZ WEB SERVER 192 168 1 3 192 168 2 3 Windows Vista 192 168 1 7 Windows VISTA Ubuntu indirizzo pubblico simulato 200 34 11 103 CONNECTIVITY LAN gt DMZ yes DMZ gt LAN no WAN gt DMZ yes 200 34 11 103 8000 biblionextgen2 DMZ gt WAN no LAN gt LAN yes LAN gt WAN yes o J i DMZ Port Setup Do you want to enable DMZ Port IP Address Yes No Subnet Mask iii DHCP for DMZ Connected Computers Disable DHCP Server Enable DHCP Server Enable LDAP information Domain Name fretgearDMZ com Loap server M Starting 1P Addressifis2 JESS JE JE Search sase A Ending IP Address i92 ies IS IS port leave blank for default port servicentame ms omzusers wanusers priority teg Action le awr lock always aw aw nomatsenice Never w s i 3 Inbound Services ServiceName Filter DMZ Server IP Address DMZ Users WAN Users Destination Log Action 12 am Allowalways 192 168 2 3 AN _ 200 34 11 103 Never up Oio select all delete enable SES 33 Outbound Services 5 Inbound Services _ Servicename ps Dmzusers tanusers tog Action ajej ww ee TI we never osso select all f delete enable le E add WANI ISP Settings WAN Mode advanced _ WAN status Login Password Does Your Internet C
7. a dirty solution because it limits the users that can connect to the LAN by setting statically the IP MAC correspondence In this case we blocked all attacks because 192 168 1 4 was no more able to connect to the LAN 2 1 3 Third experiment MitM attack To say the truth 192 168 1 4 is a very malevolent user so he decided to use ETTERCAP NG 0 7 3 to realize Man in the Middle attack 192 168 1 4 scans all the hosts of LAN and decides to attack 192 168 1 2 he puts himself between 192 168 1 2 and the firewall so he starts passive MitM In this way he was able to read all packets between the firewall and the target and to decide to block some of them so starting Apache 2 2 on 192 168 1 2 the attacker can realize a simple DoS by blocking the forwarding of the answer of 192 168 1 2 I ettercap NG 0 7 3 g x Start Targets Hosts View Mitm Filters Logging Plugins Help Host List s Targets Target 1 Target 2 192 168 1 2 192 168 1 1 e MTM Atak ARP Poisoning SS Optional parameters x V C Sniff remote connections C Only poison one way ok Annulla Delete Add Delete Add Scanning the whole netmask for 255 hosts Li 2 hosts added to the hosts list Randomizing 255 hosts for scanning Scanning the whole netmask for 255 hosts 3 hosts added to the hosts list Host 192 168 1 2 added to TARGET1 Host 192 168 1 1 added to TARGET2 2 1 4 Fourth experiment switch infini
8. carrying a load balancing automatically Finally it has a serial port to support a CLI command line interface Looking at the security features we can state that VPN Firewall FVX538 is a SPI firewall it offers Stateful Packet Inspection to prevent notorious denial of service attacks DoS This service is supported by logging activities that allows to report the alarms eventually by e mail The firewall also offers the Web URL keyword filtering to prevent the so called reassembly attack and the port service blocking supports VPN feature with the opportunity to set up 200 dedicated VPN tunnels supports the perfect forward secrecy implements policies for IP security as the algorithms IPsec based 56 bit DES 168 bit 3DES or 256 bit AES supports one to one and many to many Multi Network Address Translation classical routing and it has no restriction regarding the use of doors by the users supports different modes of Ip addresses assignment such as static assignment DHCP server on the internal LAN DHCP client on the WAN PPPoE client support Warranty http www netgear com warranty Since May 1 2007 NETGEAR is offering a life time warranty on its Prosafe products It means that when a client buys a Prosafe product NETGEAR offers its willingness to change the product in case of fault requiring only an original proof of purchase In this way NETGEAR demonstrate its certainty about the reliability of
9. kets by using hping3 instrument with destination IP address equal to the IP address of the Firewall 192 168 1 1 In a short time Firewall s memory has been saturated and it stopped working the DoS attack was successful In particular we tried a Syn Flood attack after having blocked this kind of attack inside the firewall using default rules hping3 S i ul 192 168 1 1 where parameters have the following meaning sends TCP packets having SYN flag set u1 sends a packet every millisecond After a few seconds we were no more able to access the firewall by browser 192 168 1 1 neither to connect our machines to Internet We have therefore tried to send UDP packets activating inside the firewall the limit of maximum UDP connections The command is hping3 2 i ul 192 168 1 1 Af s J where 2 option is used to send UDP packets As we expected the firewall has not even prevented this new attack filling again its memory in a very short time Another attempt was made by sending ICMP packets 1 option with results similar to the previous CONCLUSION this firewall considers LAN as trusted and it was foreseeable because it is only a switch so it blocks only attacks from to the WAN In this way a malevolent user inside the LAN can execute a DoS attack to every other users of the LAN realize MitM attack and sniffing 2 1 2 Second experiment MAC filter We tried to avoid these attacks using Firewall MAC filter this is
10. ng with the DMZ IP address as target we realized that the firewall does not send packets to the Server but its memory goes down anyway This happens because we are using a stateful firewall so it does not send any packet to the destination until it receives the last ack during three way handshake CONCLUSION this firewall does not block Hping attack 3 1 2 Port Scan Firewall logs external port scans but it doesn t block them We obtained the list of all open ports on WAN interface and the uptime Af n J Chapter 4 VPN 4 1 VPN Configuration IP ADDRESS 200 34 11 106 IP SUBNET MASK 255 255 255 0 UBUNTU SNIFFER IP ADDRESS 200 34 11 101 IP SUBNET MASK 255 255 255 0 ans Windows VISTA ma IP ADDRESS 200 34 11 102 IP SUBNET MASK 255 255 255 0 GATEWAY 200 34 11 101 PRIMARY DNS 200 34 11 101 F im ii d d DMZ WEB SERVER 192 168 1 3 192 168 2 3 Windows Vista 192 168 1 7 Windows VISTA Ubuntu 200 34 11 103 We setup VPN using on the external host Netgear VPN client software As far as the firewall concerns the configuration is the following Edit VPN Policy VPN Policy Operation succeeded ii General Policy Nameihome sid Policy Type Select Local Gateway WAN1 WAN Remote Endpoint IP Address oo fsa Wo Wo FQDN 200 34 11 101 Enable NetBIOS Enable RollOver Enable Keepalive Yes No 2 J i Traffic Selection Local IP Remote IP Any
11. onnection Require a Login Yes E No Account Name Domain Name Login Server ee Which type of ISP connection do you use Austria PPTP Idle Timeout Keep Connected Sek Zeng Idle Time S Minutes aan My 19 Address MN ELE EH Server IP Address EENS Internet IP Address i 3 Domain Name Server DNS Servers Get Dynamically from ISP Get Automatically from ISP Use These DNS Servers Primary DNS Serverl on Ia Wo Wo Secondary DNS servero__ lo__ b__ b__ Use Static IP Address IP Address 200 s4 Ur ko IP Subnet Mask 255_ 255_ 255_ o__ Gateway IP Address 200_ 34__ 11__ t01 3 1 1 Hping attack 200 34 11 101 started to send a continuous flow of large packets by using hping3 instrument with destination IP address equal to the WAN IP address of the Firewall 200 34 11 102 Firewall s memory is immediately saturated In particular we tried a Syn Flood attack after having blocked this kind of attack inside the firewall using default rules hping3 S i ul 200 34 11 102 So we decided to verify if this firewall is able to block this kind of attack In the security section we selected block TCP flood option we can t set anything else We repeated the attack but firewall s memory is saturated again We wrote on NETGEAR s forum but none has been able to solve this problem that is maybe a bug of this firewall Starting Hpi
12. thod is based on a pre shared key 200 34 11 106 is connected to an hub so it can listen all traffic exchanged between the firewall and the external host To say the truth the hub in not necessary in fact if we had a switch we could still sniff by doing arp poisoning for example by ETTERCAP The result of this experiment is that we sniffed the conversation and also the password exchange but all the conversation is ciphered so an attacker can only try the cipher text only attack Frame 2 447 bytes on wire 447 bytes captured Ethernet II Src Netgear_3b e9 79 00 1e 2a 3b e9 79 Dst QuantaCo_9b 77 62 00 1b 24 9b 77 62 Internet Protocol Src 200 34 11 102 200 34 11 102 Dst 200 34 11 101 200 34 11 101 User Datagram Protocol Src Port 1sakmp 500 Dst Port isakmp 500 Internet Security Association and Key Management Protocol Initiator cookie 4066219770008210 Responder cookie 6259D56304321C51 Next payload Security Association 1 Version 1 0 Exchange type Aggressive 4 Flags Ox00 Message ID Length 405 Security Association payload E Key Exchange payload Next payload Nonce 10 Payload length 132 Key Exchange Data 128 bytes 1024 bits E Nonce payload Next payload Identification 5 Payload length 20 Nonce Data OGEEE 0070 Ol i i Dal mn m ki hihi da Fi a wo io fl fl io fs a hee w Bont D D Bd Wo cit ma eR i Lo wo PH hu wo kn
13. tive loop We realized the following experiment to saturate the firewall We connected a single Ethernet cable to the switch in order to create a loop NETGEAR Then we connected also a PC to the switch and we execute a ping on the firewall interface A great quantity of traffic started to run inside the loop so that the firewall immediately saturated and it was no more possible to accede to the configuration page This is a screenshot of Wireshark No Time Source Destination Protocol Info 1 0 000000 192 168 1 2 192 168 1 1 Standard query A teredo ipv6 microsoft com 3 4 855586 Quantaco_9b 77 62 Netgear_3b e9 7a ARP who has 192 168 1 1 Tell 192 168 1 2 4 4 855971 Netgear_3b e9 7a Quantaco_9b 77 62 ARP 192 168 1 1 is at OD 1le 2a 3b e9 7a 5 38 625462 192 168 1 2 192 168 1 1 ICMP Echo ping request 6 43 450039 192 168 1 2 192 168 1 1 ICMP Echo ping request 7 43 465545 Quantaco_9b 77 62 Netgear_3b e9 7a ARP who has 192 168 1 17 Tell 192 168 1 2 8 43 465752 Netgear_3b e9 7a Quantaco_9b 77 62 ARP 192 168 1 1 is at OO 1le 2a 3b e9 7a 9 48 083295 192 168 1 2 192 168 1 1 ICMP Echo ping request 10 52 716497 192 168 1 2 192 168 1 1 ICMP Echo ping request Chapter 3 WAN 3 1 WAN Configuration We configured a PC on Wan1 port and we put a web server on DMZ port IP ADDRESS 200 34 11 101 IP SUBNET MASK 255 255 255 0 IP ADDRESS 200 34 11 102 IP SUBNET MASK 255 255 255 0 GATEWAY 200 34 11 101
Download Pdf Manuals
Related Search