Firewall Misconfiguration: Legitimate Users Restricted

Network analysis

1. Symptoms

Today’s “patient” is a city’s Social Insurance Bureau. Yesterday afternoon, the entire staff worked overtime to install a new firewall system in collaboration with the network management department at 18:30. They restarted the entire insurance network system, and it initially worked well, with the firewall functioning normally. However, their joy was short-lived. When they returned to work today, many authorized Intranet users reported issues accessing and modifying insurance data, with the system labeling them as “unauthorized users.” Simultaneously, system administrators observed that only access and data modification were possible through the firewall. Interestingly, external Internet users had no issues when querying user data from any location. Their complaints were mainly directed at the “business department,” inquiring about when the computer network issues would be resolved.

The Social Insurance Bureau’s network structure is quite complex, including business-specific networks, an OA network, an Intranet, and the Internet. The Intranet serves as an internal business network for authorized users, while the Internet primarily caters to telephone access users. The OA network connects via LAN’s Ethernet switches to the Web server. Both Intranet and Internet users can file applications and access data online. Business data security is ensured with two Web servers, each serving Internet and Intranet users, with the Intranet Web server also acting as a backup. The two Web servers synchronize business data. Internet users can browse, query data, and file applications, but they cannot modify data. Access to Intranet and data modification are restricted, and only authorized users have access.

2. Diagnostic Process

The issues were clearly related to the new firewall system installed the previous day. When the network tester F683 was connected to the server’s network segment, the Internet users’ Web server was detected, but the Intranet Web server was not. Removing the firewall allowed detection of the server, indicating that the firewall was the problem. Since the system was functioning correctly after the firewall installation, the focus of the investigation was on any changes to the firewall parameters after installation, following the principle that “changes lead to issues.” If the network administrators could identify which parameters and settings were altered, the troubleshooting process would have been more straightforward. Unfortunately, like many maintenance personnel, they denied making any adjustments, as is often the case.

The network tester conducted ICMP-type PING tests, which showed that the Web server existed and had a 100% response rate. This indicated the Web server was functioning normally. However, when the network tester assumed the MAC address of the firewall and entered the network, it could not detect the Web server. These observations confirmed that the firewall’s functions extended beyond IP address filtering and included MAC address filtering, which could not be enabled by Internet users. MAC address filtering was found to be the source of the issues. Following these observations, MAC address filtering was disabled by changing the firewall settings.

3. Conclusion

Many firewalls filter and authenticate authorized users’ legitimacy based on IP addresses and passwords. High-security requirements necessitate MAC address authentication for users. While it can be highly effective for internal network users, the setup is challenging, and users must be authorized to change machine IP addresses or install new network cards.

4. Diagnostic Recommendations

For internal network members and specific OA network users, setting up MAC address authentication can enhance security. While users from internal networks often have knowledge of weighted authentication and secure passwords, unauthorized users may try to bypass the system. By enabling MAC address authentication, only users with authorized machines can enter the network. For better results, we recommend a two-step approach: first, backup MAC addresses for all network card machines before enabling MAC address authentication. This helps maintain system reliability. However, it’s essential to inform authorized users that they must request their MAC addresses to be reconfigured if they replace network cards or machines. This way, any changes must be reported to the system administrators and are only allowed after proper authorization.

5. Afterword

A week later, the Social Insurance Bureau activated the firewall’s MAC address authentication feature.

Share this