Firebind Recon and The Princess Bride – Inconceivable!
Comments are closed.
“The battle of wits has begun. It ends when you decide and we both drink – and find out who is right, and who is dead.” That line from The Battle of Wits scene of the 1980’s movie The Princess Bride marked the beginning of one of the most classic comedy movie scenes in the last 40 years. The Man in Black tests his wits against the master criminal Vizzini in order to rescue the princess.
The 37 lines of dialogue in this scene provide the perfect opportunity to demonstrate how Firebind Recon works and why it can automate the critical “table stakes” task of finding weaknesses in your network security controls, weaknesses that leave your on-premises or cloud architectures exposed due to faulty network segmentation.
Firebind Recon uses software agents that are deployed in different network segments and are configured to send custom payload sequences to each other over any or all TCP and UDP ports, alarming if a sequence that should be blocked is able to successfully transit the network. By putting data on-the-wire, Firebind Recon’s patented technology continuously and empirically tests the various in-line security devices (physical or virtual) that are enforcing any number of firewall, IPS/IDS and DLP rules, and switch and router ACLs.
The heart of the Firebind Recon platform is the protocol script, or payload sequence. In the image above we see a protocol script that contains the actor dialogue. The Initiator is the customer deployed agent, and the Target is either a private customer deployed target agent or a Firebind hosted target agent. The “<” and “>” signs show the direction of travel for the given message.
As seen above, Firebind Recon can be seen sending ‘msg 1’ of the protocol script from the customer agent to the target. The first row of the Wireshark capture shows the payload is transiting over TCP port 1904. The other Wireshark rows in the image are some of the remaining 36 movie dialogue messages that are sent back and forth between the two agents on TCP port 1904. The customer agent was in Massachusetts and the Firebind Recon public target is in Virginia. The movie dialogue was sent back and forth on all 65535 TCP ports over the course of ~12 1/2 hours, generating ~3 million total packets and almost 800 MB of network traffic.
Protocol scripts can be created by the user or synchronized from Firebind’s library. While a movie script may make an interesting payload sequence, the real value comes from being able to send PII data or simulated threats (malware etc.) between Firebind agents to see if the payloads are properly detected and/or stopped, or conversely, to ensure that certain payload sequences are successfully transmitted without interruption.
The suite configuration above is where the user defines what TCP and UDP ports to test over, which protocol script (payload) to use, the number of seconds to wait for a response (if none is received) before moving on to the next port, and the number of milliseconds to pause between successive port tests.
The final step before testing can begin is for the user to create a scan configuration. The scan config contains [1] the customer agent initiating the test [2] the suite that was created in the prior step [3] the target (customer deployed private or Firebind hosted public) scan target that the customer agent will trade messages with [4] the schedule to run the test (every 5 minutes, hourly, daily, etc.) and finally [5] the policies that define the expected behavior which can be compared against the actual results for alarming purposes.
Once the scan configuration is created, it appears in the Scan Overview page. In addition to having the option to run scan configs on a schedule, there is also a “Scan Now” option to force the scan to run immediately.
As the scan is running a detailed results page will receive updated every 15 seconds as the customer agent provides interim results. At each interval the Firebind Recon web console will evaluate the subset of results it receives against the configured policies and alarm if any individual port result doesn’t match the policy.
Request a free Firebind Recon trial and we’ll help you evaluate your on-premises or cloud security controls.