Firebind Recon and The Princess Bride – Inconceivable!

“The battle of wits has begun. It ends when you decide and we both drink – and find out who is right, and who is dead.”  That line from The Battle of Wits scene of the 1980’s movie The Princess Bride marked the beginning of one of the most classic comedy movie scenes in the last 40 years.  The Man in Black tests his wits against the master criminal Vizzini in order to rescue the princess.

Firebind Recon Protocol Script created from The Princess Bride Battle of Wits scene

The 37 lines of dialogue in this scene provide the perfect opportunity to demonstrate how Firebind Recon works and why it can automate the critical “table stakes” task of finding weaknesses in your network security controls, weaknesses that leave your on-premises or cloud architectures exposed due to faulty network segmentation.

Firebind Recon uses software agents that are deployed in different network segments and are configured to send custom payload sequences to each other over any or all TCP and UDP ports, alarming if a sequence that should be blocked is able to successfully transit the network.  By putting data on-the-wire, Firebind Recon’s patented technology continuously and empirically tests the various in-line security devices (physical or virtual) that are enforcing any number of firewall, IPS/IDS and DLP rules, and switch and router ACLs.

The heart of the Firebind Recon platform is the protocol script, or payload sequence.  In the image above we see a protocol script that contains the actor dialogue.  The Initiator is the customer deployed agent, and the Target is either a private customer deployed target agent or a Firebind hosted target agent.  The “<” and “>” signs show the direction of travel for the given message.

Wireshark capture of 'msg 1' from The Princess Bride payload being sent from customer agent to target agent

As seen above, Firebind Recon can be seen sending ‘msg 1’ of the protocol script from the customer agent to the target.  The first row of the Wireshark capture shows the payload is transiting over TCP port 1904.  The other Wireshark rows in the image are some of the remaining 36 movie dialogue messages that are sent back and forth between the two agents on TCP port 1904.  The customer agent was in Massachusetts and the Firebind Recon public target is in Virginia.  The movie dialogue was sent back and forth on all 65535 TCP ports over the course of ~12 1/2 hours, generating ~3 million total packets and almost 800 MB of network traffic.

Creation of Firebind Recon suite containing Princess Bride script and specification of TCP ports 1-65535

Protocol scripts can be created by the user or synchronized from Firebind’s library.  While a movie script may make an interesting payload sequence, the real value comes from being able to send PII data or simulated threats (malware etc.) between Firebind agents to see if the payloads are properly detected and/or stopped, or conversely, to ensure that certain payload sequences are successfully transmitted without interruption.

The suite configuration above is where the user defines what TCP and UDP ports to test over, which protocol script (payload) to use, the number of seconds to wait for a response (if none is received) before moving on to the next port, and the number of milliseconds to pause between successive port tests.  

Creation of Firebind Recon scan configuration specifying suite, customer agent, target agent, and schedule

The final step before testing can begin is for the user to create a scan configuration.  The scan config contains [1] the customer agent initiating the test [2] the suite that was created in the prior step [3] the target (customer deployed private or Firebind hosted public) scan target that the customer agent will trade messages with [4] the schedule to run the test (every 5 minutes, hourly, daily, etc.) and finally [5] the policies that define the expected behavior which can be compared against the actual results for alarming purposes.

Scan Overview showing Princess Bride scan config and option to start test immediately via 'Scan Now' button

Once the scan configuration is created, it appears in the Scan Overview page.  In addition to having the option to run scan configs on a schedule, there is also a “Scan Now” option to force the scan to run immediately.

Result detail showing current status of ports being tested with Princess Bride payload

As the scan is running a detailed results page will receive updated every 15 seconds as the customer agent provides interim results.  At each interval the Firebind Recon web console will evaluate the subset of results it receives against the configured policies and alarm if any individual port result doesn’t match the policy.

Request a free Firebind Recon trial and we’ll help you evaluate your on-premises or cloud security controls.


Comments are closed.