Firewalls play a crucial role as gatekeepers that monitor incoming network traffic. When we communicate over a network, data is transmitted in packets, each containing a payload and headers. Firewalls come in various forms, some being more restrictive than others, but all firewalls conduct the basic inspections of protocol, source, and destination fields found in the packet’s header before allowing access to the system. The header holds essential information, while the payload contains the actual content sent by the sending party. The most common types of packets used in network communication are TCP and UDP, each carrying distinct header fields.
The User Datagram Protocol (UDP) is a connectionless transport protocol, designed for fast and efficient data transmission without the overhead of establishing and maintaining a connection like TCP. As a result, the UDP header contains fewer fields compared to the Transmission Control Protocol (TCP) header.
Types of Firewalls
Firewalls are essential for network security and come in two main types: hardware and software. Software firewalls are built into operating systems and can be enhanced by interchanging them with third-party firewalls. Hardware firewalls are standalone devices placed at network entry points, to handle traffic before being sent to the destination device. The choice between them depends on specific needs and network size. Hardware firewalls protect the network perimeter, while software firewalls secure individual devices and endpoints.
Packet filtering firewalls are the most basic firewalls, they inspect packet headers for protocol, source/destination IP addresses, and ports, allowing or denying traffic based on predefined rules. They provide a basic level of security but lack the ability to monitor TCP sessions comprehensively, making them susceptible to certain types of attacks.
Stateful inspection firewalls go beyond packet filtering by tracking TCP sessions, enabling them to identify and block packets that do not belong to established connections. This added functionality enhances security by ensuring that only legitimate traffic is allowed.
Proxy firewalls offer even higher security by inspecting both packet headers and payload, acting as intermediaries between internal clients and external systems. They establish separate connections with external servers and modify packets to hide the internal network structure.
Next Generation Firewalls (NGFWs) provide advanced features, such as sophisticated attack detection and prevention mechanisms. Operating at OSI levels 2-7, NGFWs offer comprehensive protection with advanced security policies for diverse network layers and applications.
NGFWs are equipped to combat modern threats like advanced malware and application-layer attacks. A comprehensive NGFW must include features such as integrated intrusion prevention, application awareness and control, threat intelligence sources, upgrade paths for future information feeds, and techniques to address evolving security threats.
Next-generation firewalls offer five key advantages that are essential for strong network security.
Firstly, they prioritize breach prevention and advanced security, ensuring that potential attacks are kept out of the network. If advanced malware manages to slip through initial defenses, NGFWs are equipped to detect and counter such threats, preventing further damage.
Secondly, NGFWs provide comprehensive network visibility, which means they continuously monitor network activity. This allows them to quickly identify and put a stop to any malicious behavior before it causes harm.
Thirdly, NGFWs offer flexible management and deployment options, making them suitable for businesses of all sizes. Whether you’re a small, medium-sized, or large enterprise, NGFWs can adapt to your specific needs.
Fourthly, rapid threat detection is a crucial aspect of NGFWs. They are designed to spot potential threats within seconds and can identify successful breaches in a matter of hours or minutes, significantly reducing response times to security incidents.
Finally, NGFWs excel at automation and product integrations, meaning they seamlessly work together with the rest of your security setup. This collaboration allows NGFWs to share threat information and automatically perform security tasks.
Web application firewalls (WAFs) are a specialized subset of NGFWs and offer effective cybersecurity solutions designed to protect web applications from various cyber threats. They act as a crucial layer of defense between users and the web application, monitoring and filtering incoming traffic for potential malicious activity in real-time. WAFs can identify and block common web-based attacks such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.
A cool tool that comes preinstalled with Kali Linux is wafw00f. It is a python script that can fingerprint WAFs based on the responses it gets from a series of web requests.
IDS, IPS, and SIEM
Next Generation Firewalls have built-in intrusion detection systems (IDS) and intrusion prevention systems (IPS). Standalone IDS/IPS can be bought as a hardware device or integrated as a software into the network security system.
An IDS/IPS monitors the traffic on a network to try to identify malicious exploit attempts and then block them before any damage is done.
An IDS is typically deployed as a passive listen-only traffic analyzer, constantly monitoring events for signs of suspicious traffic. In contrast, an IPS is deployed in the direct path of traffic, enabling it to promptly respond to flagged suspicious activities by dropping the session.
A SIEM (Security Information and Event Management) is a central platform that aggregates and analyzes security data from various sources across the network, providing a comprehensive view of an organization’s security posture. SIEM traffic flow monitoring provides the context behind IDS/IPS events to help understand network behavior and traffic patterns at a deeper level.
Hackers conduct reconnaissance, such as firewall fingerprinting, to assess the security levels of a network or host. The task becomes significantly more challenging for attackers when a host incorporates multiple layers of protection, including firewalls, IDS, IPS, and traffic flow monitors.
Common Firewall Evasion Techniques
NMAP offers a range of options that enable users to employ evasive tactics during port scans, which we shall explore here.
One such technique involves employing decoys to deceive firewalls and obscure the origin of the port scan. By rotating between different decoy IP addresses, the intent is to make it harder for firewalls to pinpoint the actual source of the scan.
Another evasion method involves utilizing an HTTP/SOCKS4 proxy, which serves as an intermediary between your system and the destination system. This relays the port scan traffic through a proxy server, adding an extra layer of confusion and distancing your actual location from the target. Moreover, chaining multiple proxies can compound the obfuscation effect, providing an even greater level of anonymity.
If you discover that a firewall permits traffic from a specific source port, NMAP offers the capability to specify the source port from which the traffic will be sent. This way, users can exploit certain allowances made by the firewall to their advantage.
NMAPs massive range of features allows users to explore various tactics and techniques, making the process of evading network defenses both creative and challenging. If you want some more information about firewall evasion Hackersploit on YouTube has some great videos on the topic.
In the world of cybersecurity, it’s important to grasp the functions of firewalls and NGFWs. To build a strong network defense plan, we need to be ready to respond to new threats by using the most up-to-date security tech and following best practices. This way, we can keep our data and systems safe.