Evading Firewall, IDS, IPS and Honeypots.

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. 

Types of firewalls

Proxy firewall

An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.

Stateful inspection firewall

Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.

Unified threat management (UTM) firewall

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.

Next-generation firewall (NGFW)

Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.

According to Gartner, Inc.’s definition, a next-generation firewall must include:

  • Standard firewall capabilities like stateful inspection
  • Integrated intrusion prevention
  • Application awareness and control to see and block risky apps
  • Upgrade paths to include future information feeds
  • Techniques to address evolving security threats

While these capabilities are increasingly becoming the standard for most companies, NGFWs can do more.

Threat-focused NGFW

These firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW you can:

  • Know which assets are most at risk with complete context awareness
  • Quickly react to attacks with intelligent security automation that sets policies and hardens your defenses dynamically
  • Better detect evasive or suspicious activity with network and endpoint event correlation
  • Greatly decrease the time from detection to cleanup with retrospective security that continuously monitors for suspicious activity and behavior even after initial inspection
  • Ease administration and reduce complexity with unified policies that protect across the entire attack continuum

IDS, IPS and Honeypot

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) both increase the security level of networks, monitoring traffic and inspecting and scanning packets for suspicious data. Detection in both systems is mainly based on signatures already detected and recognized.

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.

A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system resides on the network. intrusion detection systems work by either looking for signatures of known attacks or deviations of normal activity.

A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers — usually a server or other high-value target — and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.

To evade firewall detection.

There is no universal method to do this; it’s all based on trial and error. Thus, methods could

work on some firewalls/IDS but fail with others. It all depends upon how strong the rule sets are.

The Nmap book discusses a wide variety of techniques that could be used to get past firewalls.

We will now briefly look at some of them:

-Timing technique

-Fragmented packets

-Source port scan

-Specifying an MTU

-Sending bad checksums

Timing Technique

The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this

technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS.

In nmap we can launch a timing scan by specifying the T command followed by a number ranging

from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.

◾◾ T0—Paranoid

◾◾ T1—Sneaky

◾◾ T2—Polite

◾◾ T3—Normal

◾◾ T4—Aggressive

◾◾ T5—Insane

# nmap –T1 <Target iP>

Fragmented Packets

During fragmentation we split the packets into small chunks making it harder for the IDS to

detect. They can get past some IDS because the IDS would analyze a single fragment but not all

the packets. Therefore they will not find anything suspicious. However, many modern IDS can

rebuild the fragments into a single packet, making them detectable.

Example

nmap –f 192.168.15.1

Source Port Scan

It is very common for a network administrator to allow traffic from a certain source port. We can

use this to our advantage to bypass badly configured firewalls. Common ports that we can specify

as source are 53, 80, and 21.

Example

The –g parameter helps us specify a source port, which in this case is 53 (DNS).

nmap –PN –g 53 192.168.15.1

Specifying an MTU

MTU stands for maximum transmission unit. The values that can be defined as MTU are multiples

of 8 (e.g., 8, 16, 24, 32). Nmap allows us to specify our own MTU. Based on your input,

nmap will generate packets. For example, if you specify 32, nmap will generate a 32-byte packet.

The change of this MTU can help us evade some of the firewalls.

Example

nmap –mtu 32 <target ip>

Sending Bad Checksum

Checksum are used in the TCP header for error detection. However, we can use incorrect

checksums to our advantage. By sending bad/incorrect checksums, we can bypass some firewalls

depending upon the rule sets and how they are configured.

Example

nmap –badsum <Target IP>

Decoys

It is very effective when you want to use stealth. The idea behind this scan is to send spoofed packets from other hosts, which would make it very difficult for network administrators to detect from which host the scan originated.

Since the decoy has the potential to generate a very large number of packets, it could cause a

possible DOS (denial of service).

Example

nmap –D RND:10 <target iP>

This command would generate a random number of decoys for the target iP.

Install Snort Local IDS in kali Linux

Installation of Snort

Open a terminal and type for snort

– apt-get install snort

– Put your local router address in the block

   for example: 192.168.2.1/24

– Go to the directory of snort to configure

  and type the following commands in terminal

  #nano /etc/snort/snort.conf

  # search for icmp.rules

  # place the path $RULE_PATH/icmp.rules with rules/icmp.rules

– Go to the directory again and go the file rules in SNORT folder

  # Open a terminal and type the path of the rules in snort

  # search for the FILE icmp.rules in the RULES folder

  # nano icmp.rules

  # remove the third # in the ICMP RULES

  # add this syntax

   alert icmp any any -> any any (msg:”ALert icmp rules”; sid:477; rev:3;)

– To run the snort LOCAL IDS

  snort -c /etc/snort/snort.conf -l /var/log -i wlan0 -dev

  -i – interface

  -dev – device .

LEAVE A REPLY

Please enter your comment!
Please enter your name here