Firewalls and Honeypots

A firewall is a barrier. It blocks some traffic and allows other traffic. The most common place to encounter a firewall is between a network and the outside world. Nevertheless, firewalls on individual computers and between network segments are also quite common. At a minimum, a firewall will filter incoming packets based on specific parameters, such as packet size, source IP address, protocol, and destination port. Linux and Windows both have built-in firewalls. So there is no reason for an individual computer not to have a firewall configured and turned on.

In an organizational setting, a minimum of a dedicated firewall between your network and the outside world is required. This might be a router that also has built-in firewall capabilities. Router manufacturers such as Cisco and Juniper include firewall capabilities.

Firewalls can be classified based on physical configuration. There are just a few configurations:

• Bastion host: This is a computer system designed and configured to protect network resources from attack. Traffic entering or leaving the network passes through the firewall. There are two interfaces: a public interface directly connected to the internet and a private interface connected to the internal network.

• Multi-homed: A firewall with two or more interfaces allows further subdivision of the network based on the specific security objectives of the organization.

• Screened host: A screened subnet or DMZ (an additional zone) may contain hosts that offer public services. The DMZ responds to public requests and has no hosts accessed by the private network. The private zone cannot be accessed by internet users. A DMZ is essentially two firewalls. One of the firewalls is a barrier to the outside world, and the other is a barrier to the organizational network. Between the two are placed public-facing things such as web servers and email servers. For some time now, most routers have had DMZ ports. Whatever is plugged into that port is in a DMZ, so the router effectively has two firewalls built in.

Physical configuration is only one way to consider firewalls. There are various types of firewalls and variations on those types. However, most firewalls can be grouped into one of the categories discussed in the following subsections.

Networks firewalls often perform another function: network address translation (NAT). NAT basically replaces the private IP address on outgoing packets with the public IP address of the gateway router so that the packets can be routed through the internet.

Packet Filtering

Basic packet filtering is the simplest form of firewall. It involves looking at packets and checking to see if each packet meets the firewall rules. For example, it is common for a packet filtering firewall to consider three questions:

• Is this packet using a protocol that the firewall allows?

• Is this packet destined for a port that the firewall allows?

• Is the packet coming from an IP address that the firewall has not blocked?

These are three very basic rules. Some packet filter firewalls check additional rules. But what is not checked is the preceding packets from that same source. Essentially, each packet is treated as a singular event, without reference to the preceding conversation. This makes packet filtering firewalls quite susceptible to some DoS attacks, such as SYN floods.

Stateful Packet Inspection Firewalls

A SPI (stateful packet inspection) firewall examines each packet and denies or permits access based not only on the examination of the current packet but also on data derived from previous packets in the conversation. The firewall is therefore aware of the context in which a specific packet was sent. This makes such a firewall far less susceptible to ping floods and SYN floods, as well as less susceptible to spoofing. For example, if a firewall detects that the current packet is an ICMP packet and a stream of several thousand packets have been continuously coming from the same source IP address, the firewall will see that this is clearly a DoS attack, and it will block the packets.

A stateful packet inspection firewall can also look at the actual contents of a packet, which allows for some very advanced filtering capabilities. Most high-end firewalls use the stateful packet inspection method; when possible, this is the recommended type of firewall.

Application Gateways

An application gateway (also known as application proxy or application-level proxy) is a program that runs on a firewall. When a client program, such as a web browser, establishes a connection to a destination service, such as a web server, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to gain access to the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This process actually creates two connections. There is one connection between the client and the proxy server, and there is another connection between the proxy server and the destination.

Once a connection is established, the application gateway makes all decisions about which packets to forward. Since all communication is conducted through the proxy server, computers behind the firewall are protected.

Essentially, an application gateway is used for specific types of applications, such as database or web server applications. It is able to examine the protocol being used (such as HTTP) for any anomalous behavior and block traffic that might get past other types of firewalls. It is common to have an application gateway that also includes stateful packet inspection.

Probably the most common example of an application gateway is a WAF (web application firewall), which is used for detecting specific web attacks, such as SQL injection, XSS (cross-site scripting), and other web attacks.

There are a number of firewall products that are at least mentioned on the CEH exam, including:

• ZoneAlarm Pro Firewall: https://www.zonealarm.com/software/firewall

• Zscaler: https://www.zscaler.com

• eScan Enterprise Edition: https://www.escanav.com

• Comodo Firewall: https://personalfirewall.comodo.com

• FortiGate Next-Generation Firewall: https://www.fortinet.com/products/next-generation-firewall/mid-range

• Cisco ASA: https://www.cisco.com/c/en/us/products/security/firewalls/index.html

The following firewalls are available for mobile devices:

• DroidWall—Android Firewall: https://code.google.com/archive/p/droidwall/

• aFirewall: https://afirewall.wordpress.com

Next Generation Firewalls (NGFWs)

NGFW (next-generation firewall) is a bit of a catchall term for any firewall that has advanced features. Normally NGFWs incorporate features from more than one type of firewall (for example, application gateway and stateful packet inspection). Furthermore, the usually include other functionality, such as IPSs, antivirus, and, in some cases, even machine learning.

Honeypots

A honeypot is an interesting technology. Essentially, it assumes that an attacker is able to breach your network security, and it would be best to distract that attacker away from your valuable data. Therefore, a honeypot includes a server that has fake data—perhaps an SQL server or Oracle server that is loaded with fake data and that is just a little less secure than your real servers. Then, because none of your actual users ever access this server, monitoring software is installed to alert you when someone does access this server.

A honeypot achieves two goals. First, it takes the attacker’s attention away from the data you wish to protect. Second, it provides what appears to be interesting and valuable data, thus leading the attacker to stay connected to the fake server and giving you time to try to track the attacker. Commercial solutions, such as Specter (www.specter.com), are available to set up honeypots. These solutions are usually quite easy to set up and include monitoring/tracking software. You may also find it useful to check out https://www.imperva.com/learn/application-security/honeypot-honeynet/ for more information on honeypots in general, as well as specific implementations.

Honeypots can be classified in a number of different ways. Common classifications include:

• Low-interaction honeypots: These simulate a limited number of services and don’t require much interaction from the attacker.

• Medium-interaction honeypots: These honeypots simulate a real operating system, complete with applications and services. These honeypots will only respond to specific commands that are preconfigured.

• High-interaction honeypots: These simulate a great many services and applications. They also capture complete information about an attack.

Honeypots can also be divided into categories of production and research. A production honeypot simulates a real production network for an organization. A research honeypot is usually a high-interaction honeypot that is meant to capture substantial information about how an attack is carried out.

There are a number of honeypot products on the internet, including:

• KFSensor: http://www.keyfocus.net/kfsensor/

• elastichoney: https://github.com/jordan-wright/elastichoney

• mysql-honeypotd: https://github.com/sjinks/mysql-honeypotd

• LaBrea: https://labrea.sourceforge.io/labrea-info.html

There are also tools for detecting honeypots. These basically work to determine if the behavior of the target system looks suspicious. A few such tools are:

• Send-Safe Honeypot Hunter: https://send-safe-honeypot-hunter.apponic.com

• hping: http://www.hping.org

Virtual Private Networks

A VPN (virtual private network) enables secure communications over a public network such as the internet. The packets sent back and forth over this connection are encrypted, thus making it private. A VPN essentially emulates a direct network connection. There are several different VPN technologies, but IPsec is very commonly used.

Point-to-Point Tunneling Protocol (PPTP) is the oldest of the protocols used to create VPNs. It was originally designed as a secure extension to Point-to-Point Protocol (PPP). PPTP was originally proposed as a standard in 1996 by the PPTP Forum—a group of companies that included Ascend Communications, ECI Telematics, Microsoft, 3Com, and U.S. Robotics. It adds the features of encrypting packets and authenticating users to the older PPP protocol. It is mentioned here primarily for historical purposes. It is still used, but not widely and is, therefore, not a focus of the CEH exam.

Layer 2 Tunneling Protocol (L2TP) was explicitly designed as an enhancement to PPTP. Like PPTP, it works at the data link layer of the OSI model. It has several improvements over PPTP. First, it offers more and varied methods for authentication: PPTP offers two methods (CHAP and EAP), whereas L2TP offers five (CHAP, EAP, PAP, SPAP, and MS-CHAP). L2TP is also often used in conjunction with IPSec.

IPsec (Internet Protocol Security) is widely used and will be mentioned on the CEH exam. You don’t need to know a great deal of technical detail but should have a general understanding of IPsec. One of the differences between IPsec and the other methods is that it encrypts not only the packet data but also the header information. With IPSec you can choose to encrypt just the data packet, or the packet and the header. Furthermore, IPsec includes safeguards against unauthorized retransmission of packets. This is important because one technique that a hacker can use is to simply grab the first packet from a transmission and use it to get his own transmissions to go through. Essentially, the first packet (or packets) has to contain the login data. If you simply re-send that packet(s), you will be sending a valid logon and password that can then be followed with additional packets. IPsec safeguards prevent this from happening.

IPsec operates in one of two modes: Transport mode, in which only the payload is encrypted, and Tunnel mode, in which both data and IP headers are encrypted. This is the protection that was referred to earlier.

Following are some basic IPsec terms:

• Authentication Header (AH): Provides connectionless integrity and data origin authentication for IP packets.

• Encapsulating Security Payload (ESP): Provides origin authenticity, integrity, and confidentiality protection of packets. It offers encryption-only and authentication-only configurations.

• Security associations (SAs): Provide the parameters necessary for AH or ESP operations. SAs are established using ISAKMP.

• Internet Security Association and Key Management Protocol (ISAKMP): Provides a framework for authentication and key exchange.

• Internet Key Exchange (IKE and IKEv2): Is used to set up an SA by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used.

During the initial establishment of an IPsec tunnel, SAs are formed. These SAs have relevant information regarding the encrypted connection, such as what encryption algorithm and what hashing algorithms will be used in the IPsec tunnel. IKE is primarily focused on forming these SAs. ISAKMP allows the two ends of the IPsec tunnel to authenticate to each other and to exchange keys.

SSL/TLS can also be used to create a VPN. Rather than simply encrypting a webpage, the SSL/TLS protocol is used to create a tunnel to a remote server. This is becoming more common, but IPSec is still the most widely used VPN protocol.

IDS Evasion Techniques

Obfuscation

Obfuscating attacks are a class of attacks that are often used and can be quite successful. The concept is simple, but the techniques can be of varying complexity. The idea is to encode a packet so that it is not detected by any signature matching. This can include encrypting packets and adding a string of null values at the end of a packet. This technique is often referred to as creating null operation pointer sleds (nop sleds).

Polymorphic malware can also circumvent signature-based IDSs/IPSs and antivirus software. Polymorphic malware is malware that changes some aspect of itself from time to time. This could be the previously mention nop sled, changing the email content/subject the malware is attached to, or any technique that changes the signature.

Another way to obfuscate is through false-positive generation. Basically, a hacker crafts a number of malicious packets and sends them just to generate alerts. The idea is specifically to generate false positives. The administrators become desensitized, thinking perhaps there is something wrong with the IDS configuration or rules. When the real attack comes, the administrators may believe it is another false positive.

Another way to obfuscate that works well for some attacks is through Unicode character encoding. If an attack is based on specific character strings, as in SQL injection, the characters are encoded so that the IDS might not recognize the attack. This might involve encoding in Unicode or using character functions such as CHR.

Yet another way to obfuscate an attack is to use compression. Compressing an attack, whether it is malware or not, can make it quite difficult for an IDS/IPS to examine the traffic involved. Similarly, simply encrypting traffic will make it difficult—or even impossible—for the IDS/IPS to examine that traffic.

Insertion Attacks

An insertion attack is a method commonly used to try to confuse an IDS. The process basically is an attempt to force the IDS to read invalid packets. For example, an attacker may send one-character packets to the target system, with each packet having a different TTL (Time to Live) value. The IDS intercepts these packets. Due to the varying TTL values, some packets won’t get past the IDS to the target system. This will result in the IDS and the target system having two different character strings.

Denial of Service (DoS) Attacks

DoS attacks are a simple and not particularly eloquent attacks, but they can be effective. IDSs often have centralized logging. Simply flooding an IDS with suspicious-looking packets can cause the device to at least fill up its log and no longer be able to log packets. In some cases, it could even cause the IDS to freeze or lock up.

Session Splicing

Session splicing is a common IDS/IPS avoidance technique. The attack is split into many different packets such that no single packet triggers the IDS. To make this type of attack more effective, the hacker can delay the attack packets by interspersing non-attack packets. This technique can enable the attacker to avoid triggering an advanced IDS/IPS that attempts to reassemble strings of packets to analyze them. You can see this in Figure 7.4.

Figure 7.4 Session Splicing

Fragment Attacks

A fragmented attack involves sending fragmented packets. Normally an IDS/IPS has a timeout on reassembling fragments. Often that timeout is about 10 seconds. An attacker might send fragments every 15 seconds in order to get the IDS/IPS to drop the fragment, believing things have timed out, but have the fragment still reach the target and be reassembled. You can see this type of attack in Figure 7.5.

Figure 7.5 Fragment Attack

Overlapping fragments are related to fragment attacks. The attacker generates a series of small fragments, but the fragments have overlapping TCP sequence numbers. Perhaps the first fragment is 90 bytes with sequence number 1, and the second fragment has an overlapping sequence number and 80 bytes. When the target reassembles the fragments, the overlapping TCP sequence numbers could be an issue.

As you can probably surmise, there are quite a few packet fragment tools. These are some examples:

• NetScanTools Pro: https://www.netscantools.com

• Colasoft Packet Builder: https://www.colasoft.com/packet_builder/

• WAN Killer: https://www.solarwinds.com/engineers-toolset/use-cases/traffic-generator-wan-killer

Time to Live Attacks

As you know, network packets have a TTL value, which indicates how many hops the packet should go through in trying to reach the destination before giving up. The default TTL value is often 30 but depends on operating system. An attacker who has some knowledge of the target topology can use the TTL value to their advantage. An example might help illustrate this. Say that an attacker breaks a malicious payload into four fragments. Fragment 1 is sent with a high TTL value, and Fragment 2 is sent with a low TTL value. The IDS receives both fragments, but due to the low TTL on Fragment 2, the target machine may not receive the second packet. Then the attacker sends the third fragment, with a high TTL value. The IDS reassembles these fragments into a single packet, and it appears meaningless to the IDS.

Invalid RST Packet Attacks

The RST flag is used to close or reset a connection. TCP packets use a 16-bit checksum for error checking of both the header and the data. In an invalid RST packet attack, an RST packet is sent to the IDS with an invalid checksum. The target system sees the invalid checksum and drops the packet. However, given that an RST packet indicates a closing session, many IDSs/IPSs stop processing that stream, thinking the TCP communication session has ended. However, targets continue to be sent to the target. This is shown in Figure 7.6.

Figure 7.6 RST Attack

Urgency Flag

Any of the flags in a packet header are potentially exploitable. So, it should be no surprise that the URG (urgency) flag is used in attacks. The urgency flag is used to denote a packet that requires urgent processing at the receiving end. If the URG flag is set for a packet, then the urgent pointer field is set to a 16-bit offset value that points to the last byte of urgent data in the segment. This can be used to the attacker's benefits because some IDSs/IPSs don’t consider the urgent pointer and essentially ignore it. An attacker sends various packets, some of which have the urgency flag set. According to RFC 1122, when a TCP segment consists of an urgency pointer, one page of data after the urgent data will be lost. The urgency flag allows the attacker to hide small portions of the packet.

Polymorphism

Polymorphism was mentioned previously, in passing, as one method for circumventing IDSs/IPSs as well as antivirus software. There are many ways to carry out polymorphism, but one specific example is often on the CEH exam: polymorphic shell code. This type of attack essentially encodes the payload with a shell. That shell can be rewritten as often as needed. This means the signature of the malware is constantly changing and hard to detect. One variation of this is the ASCII shell code. An attacker basically wraps the attack in ASCII shell code to make it hard to detect by IDSs/IPSs.

Desynchronization

A desynchronization attack is an interesting attack that is based primarily on how connections are created. The attack begins by sending a SYN (synchronize) packet with an invalid checksum. If the real SYN packet is received after the TCP control block is opened, the IDS may reset the sequence number to match the new SYN packet. Essentially, this attack desynchronizes the traffic to keep the IDS from monitoring the stream. This particular method is pre-connection desynchronization.

There is also post-connection desynchronization. In this case, a post-connection SYN packet is sent with a divergent sequence number. Since there is already a connection, the target host will ignore this SYN packet. The idea is to get the IDS to resynchronize on the fake SYN packet, thus ignoring the actual stream.

Evasion Countermeasures

Remember that, as an ethical hacker, your goal is to improve an organization's security posture. So how might you counter the IDS/IPS evasion techniques described in this chapter? Well, a number of methods can help mitigate these techniques. No single technique will be able to block all or even most IDS/IPS evasion techniques, but by using multiple techniques, you can prevent many of them. These techniques include:

• Look for a nop opcode other than 0x90 to defend against the polymorphic shellcode problem.

• Perform an in-depth analysis of ambiguous network traffic for all possible threats.

• Harden the security of all communication devices, such as modems, routers, switches, etc.

• Ensure that IDSs normalize fragmented packets and allow those packets to be reassembled in the proper order.

• Regularly update the antivirus signature database.

• Block incoming ICMP packets.

• Limit tunneling techniques.

Firewall Evasion Techniques