Misconfigurations in networks occur in numerous ways and for many different reasons. They are often due to the fact that only the usual default settings are used. And due to a lack of knowledge that these already contain security misconfigurations by nature. In the following, we will show you how this also applies to firewall configurations.
Two common firewall misconfigurations: bind shell and whitelisting
Let’s first take a look at the danger of closed ports. Most companies rely on their organizational domain firewall and tend to turn off the firewall at the local machine level. As a result, they often neglect careful firewall maintenance. This is easily recognized by the ports that are required by services and applications. These ports are usually opened on request by the IT department or the network team at the company firewall. There are three different types:
- Open port: The application or service is executed and accepts connections via the port.
- Filtered port: A firewall or filter blocks the port. This can be a server firewall, a network firewall, a router or another security device, for example.
- Closed port: This indicates that an application or service is not actively searching for connections on this port. However, a closed port can be opened at any time when an application or service is started.
Over time, many services or applications are removed or deleted from an end device. However, the local firewall rule that allows connections to these ports is often neglected and remains in the “closed” state because the application is no longer listening for connections. In other words, attackers can use closed ports to establish a connection between their “attack box” and the victim’s computer and issue malicious commands through it. This is called a bind shell.
The practice of whitelisting services and applications is another common source of dangerous misconfigurations. Whitelists are a type of filter that classifies the email and IP addresses and domains on the list as particularly secure and reputable. Overly liberal whitelisting policies can be exploited by attackers to extract NTLM password hashes or even plaintext passwords from domain or local users via the LSASS process. This means that attackers are able to exploit a computer via a critical vulnerability for remote code execution without prior authentication and further abuse the domain.
Automated penetration tests detect misconfigurations
If your network suffers from unnoticed, unvalidated and unmonitored closed ports or outdated whitelisting policies, it is exposed to far-reaching risks. Especially if neither the IT department nor the vulnerability scan can detect the misconfigurations. Automated Security Validation provides a best-in-class methodology to uncover your own network’s misconfigurations and mimic real-world attack vectors to avoid false positives and prioritize patches. The use of automated penetration tests makes your IT specialists’ work easier, saves human resources and protects your company from cyber attacks in the best possible way.
Here you will find additional information:
- IT security management against cyber attacks | genesis.swiss
- If you don’t test your security controls, someone else will do it for you – genesis.swiss
We will be happy to advise you. Get in touch with us without obligation.