Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
support12
New Contributor III

How to bypass a Firewall Step By Step

Hi ! 1. Thanks to ssl vpn and the share power of windows. I have a netscreen that has private ip on its external interface. That interface is conected to your network and get ip thru dhcp. The internal ip has real public ip. I make a Vip to point from internal to external in other words from real ip to your lan private ip. These device make a routed vpn that end on its internal interface so traffic traverse thru internal interface from internet. In that way i can make your network visible to the internet thru your internal lan. Trick!! 2. In case that ipsec is blocked. I will use and internal pc that make and ssl vpn and shared it. The netscreen device will use that ssl vpn to reach the external firewall and make the routed vpn and walaaa. 3. In case that i can not make the ssl vpn. I will use a pc with evdo card, a pc with modem or a evdo device to access the internet and make the routed vpn. Diagram at http://nustream.com/diagram/diagram.jpg
18 REPLIES 18
MasterBratac
Contributor

That interface is conected to your network and get ip thru dhcp.
If you are able to connect a " whatever kind of evil device" to my private network, it is much easier to do anything for bypassing my security .... especialy if you connect a evdo device or modem router .... So ... where is the news?
support12
New Contributor III

I only connect to a widows pc that has 2 interface network. One for your network and the other for the netscreen device that will make the routed vpn. The windows pc will share the conection to your network to hide the netscreen device from your network. You never see my device you only will see your trust pc.
support12
New Contributor III

any ? regarding why we need a firewall ?
MasterBratac
Contributor

What would you like to tell us with this? If you have access to a windows pc and enough user rights to enable internet connection sharing, you could rather use some remote software like logmein or somthing ... From the firewalls point of view it´s also a well hidden data stream ... Or allow incomming connections on your modem .... That´s what many people misunderstand ... a firewall isn´t just a " godlike" device, that protects you from everything ... It´s a modular concept, containig of some hardware, rules for your users, policys, that they have to sign, before they sit on a PC. Limited access rights to significant data ... and so on. The point is: in all your scenarios, you must enter the office, connect some devices. That´s, what should be your problem! In a company that can´t trust it´s staff, a firewall is useless.
support12
New Contributor III

Yes. Everything is included in your last words. (In a company that can´t trust it´s staff, a firewall is useless. ) My other point it' s. A users with good understand in firewalls can make any network vulnerable using my diagram. I did my diagram to sell a device ( a NAC ) to perform authentication of who is connected. But there is no ( nac) that can stop my diagram. If one of my users try to put my network vulnerable i want to stop it.
MasterBratac

My other point it' s. A users with good understand in firewalls can make any network vulnerable using my diagram. I did my diagram to sell a device ( a NAC ) to perform authentication of who is connected. But there is no ( nac) that can stop my diagram. If one of my users try to put my network vulnerable i want to stop it.
Shure, your way of breaking out seems to be a nice one ... but there are many ways to do that. But it sounds like: I could make any house vulnerable for robbers. 1. I need to be in the house. 2. I open any windows in the first floor. 3. Voila, any robber could come in and do his job ... But no offense ... nice idea anyway ...
support12
New Contributor III

Exactly. Your internal users are the inside robbers. How can you protect from them ? a funny user can make everybody on security staff a ridiculous. The fight is from inside to outside.
mbrowndcm
New Contributor III

Homey, This doesn' t make any sense. How does a user get an external IP address on any device past the first firewall? Oh... Why did that happen? Oh... that' s not secure, you should fire your poor IT workers. Thanks, Matt P.S. By the way, I hope that any employer trusts any network admin with their company data. If that trust isn' t there, then the network admin should be fired.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
support12
New Contributor III

How does a user get an external IP address on any device past the first firewall? Oh... Why did that happen? Easy Verify the diagram. all networks are vunerable to that scenario. The internal user will make a ssl vpn ( port https at least open) , then the user share this conncetion. The firewall netscreen device will use that vpn to make and ipsec vpn to another firewall. This netscreen firewall will have and untrust ip private on the same segment as the user pc. The netscreen firewall will have a real Public ip on its trust interface. Then the netscreen device will MIP or map ip from the trust to untrust. and wala. your internal network will have a public ip reachable from any where.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors