APPLICATIONS OF FIREWALL & FIREWALL EVASION TOOLS

APPLICATIONS OF FIREWALL

There are three application of firewall:

NAT-

There are many ways to implement a firewall, but the most popular for both hardware and software routers is Network Address Translation or NAT. Most inexpensive routers use NAT as the means to share one IP address among many computers. NAT also provides a natural firewall that will protect the computers behind it from access by unauthorized users. How? The following excerpt from the Vicomsoft page linked above explains:

NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that. While looking at sharing product information, you might come across the term “stateful inspection” (sometimes abbreviated as “SPI”).

This “stateful inspection” is a good thing and is what prevents unrequested data from coming into your LAN from the Internet (unless you configure the router to allow the data to come in). NAT’s basic capability actually provides a good amount of protection! All properly configured NAT-based routers protect against the following types of attacks:

  • Port Scans
  • WinNuke (and other Port 139-based attacks)
  • Smurf (protection against LAN Clients being used as part of the “Amplifier network”)
  • Connection or service requests that did not originate from the LAN side of the firewall.

All NAT firewalls perform a simple form of “stateful inspection” of the packets that flow through them.

“SPI” based routers implement some form of advanced “stateful inspection” in their firewall. There are many methods used, but this means that the router takes a closer look at the contents of the data packet before deciding whether to pass or block it. For example,Sonic Systems’ Sonicwall series of routers can provide additional protection such as:

  • blocking Java, ActiveX, and Cookie portions of downloaded web pages
  • blocking access to WAN Proxy servers
  • blocking “IP Spoofing” attacks
  • blocking malformed IP packet attacks such as “Ping of Death”, and variants such as “Teardrop”, “Bonk”, and “Nestea”
  • blocking SYN flood and LAND attacks

A NAT firewall does not protect you against viruses, worms, Trojans and other Internet-borne nasties. No matter how you protect the Internet/LAN border, you may need to add another layer of security by using a software personal firewall. These programs must be run on each computer on your LAN that you want to be protected. They monitor network activity and protect against unauthorized use of the Internet by programs that manage to get onto your LAN’s computers. You should consider adding this additional layer of security if:

  • You are opening/forwarding/mapping ports to any LAN computers
  • You have a computer running in DMZ (outside your NAT firewall)
  • You have been a victim of an email attachment virus attack, i.e. “I Love You”, Kournakova, etc.

LOGGING-

Significant events on firewalls fall into three broad categories: critical system issues (hardware failures and the like), significant authorized administrative events (ruleset changes, administrator account changes), and network connection logs. In particular, we’re interested in capturing the following events

  • Host operating system log messages — for the purposes of this document, we’ll capture this data at the minimum severity (maximum verbosity) required to record system reboots, which will record other time-critical OS issues, too.
  • Changes to network interfaces — need to test whether or not the default OS logging captures this information, or if the firewall software records it somewhere (any invocation of UNIX ifconfig or the equivalent?)
  • changes to firewall policy
  • adds/deletes/changes of administrative accounts
  • system compromises
  • network connection logs, which include dropped and rejected connections, time/protocol/IP addrs/usernames for allowed connections, maybe amount of data transferred.

The observant firewall administrator will notice that this list contains more than just network connection information. Most firewall logging tools focus on network connection records because protecting network connections is the most obvious task performed by the firewall, and because they’re typically in a predictable format. At least, logging formats are relatively stable on any given platform, operating system and firewall application. When most system administrators think about firewall logs, they think about network connection logs. Because firewalls are gateways between networks of varying trust levels, they provide an obvious place to record information about network traffic. Once a firewall is installed and configured with the appropriate rule set, dropped connection logs require some additional processing to derive a useful summary of activity on your network. Extracting information like numbers of port scans, or top ten sources of dropped packets usually requires writing a script, although more firewall developers are including those sorts of summary reports in their default installations.

INTRUSION DETECTION-

Security management plays an important role in today’s management tasks. Defensive information operations and intrusion detection systems are primarily designed to protect the availability, confidentiality and integrity of critical network information systems. These operations protect computer networks against denial-of-service attacks, unauthorized disclosure of information, and
the modification or destruction of data. The automated detection and immediate reporting of these events are required in order to provide a timely response to attacks.

The two main classes of intrusion detection systems (IDS) are those that analyze network traffic and those that analyze operating system audit trails. In all of these approaches however, the amount of audit data is extensive, thus incurring large processing overheads. A balance therefore exists between the use of resources, the accuracy and timeliness of intrusion detection information. Thus, the authors of this paper believe that the selection and deployment of the IDS represents an increasingly important decision for any organization. Detecting or blocking attacks are not within the responsibilities of a firewall. Basically, firewalls are used to block certain types of traffic to improve the security. Therefore, more dynamic defense systems like intrusion detection systems should be deployed to detect attacks, which firewalls cannot see or detect. Some reasons for using firewalls with intrusion detection systems are:

  • IDS double-checks mis-configured firewalls;
  • IDS catches the attacks, which firewall allowed to pass through;

The objective of this work is to determine the similarities and differences of these tools and find the cumulative benefit of using them together.

The Intrusion System (IDS) is traditionally deployed to monitor traffic in vital segments in the network, generating alerts when an intrusion is detected. The importance of the IDS has grown significantly as the industry recognizes that 92 percent of attacks in recent years have exploited application vulnerabilities. The traditional stateful inspection firewall, based largely on matching packet header information against Access Control Lists (ACLs), is ineffective to fend off such attacks. Good IDS, on the other hand, can expose these application layer attacks.


FIREWALL EVASION TOOLS

As a penetration tester you will come across with systems that are behind firewalls & they are blocking you from getting the information that you want. So you will need to know how to avoid the firewall rules that are in place & to discover information about a host. This step in a penetration testing called firewall evasion rules & tools that follow this approach is known as firewall evasion tools.
Below we have list of some open source firewall evasion tools:

  • Atelier Web Firewall Tester: Atelier Web Firewall Tester is a simple tool for probing Personal Firewall software protection against outbound connection attempts from unauthorized programs. It is intended to help you tweak your existing firewall software for improved protection or make a rational choice of a product within the available alternatives in the market-place. Atelier Web Firewall Tester offers 6 different tests, each of them establishes a HTTP connection and attempts to download a web page. The test results are based on theoretical threats and will vary based on individual settings and user security preferences.
  • Snare Agent: Snare (sometimes also written as SNARE, an acronym for System iNtrusion Analysis and Reporting Environment) is a group of open-source agents, and a commercial server, used to collect audit log data from a variety of operating systems and applications to facilitate centralized log analysis. Agents are available for Linux, Windows, Solaris, Lotus Notes, Irix, AIX, ISA/IIS, and more. Snare is currently used by hundreds of thousands of individuals and organizations worldwide.
  • AckCmd: AckCmd is a backdoor client/server combination that lets you open a remote Command Prompt to another system (running the server part of AckCmd). It communicates using only TCP ACK segments. This way the client component is able to directly contact the server component through a firewall in some cases (static packet filters). More information can be found in the ACK Tunneling Trojans paper. Usage instructions: Download the zip file and extract the client component (ackcmdc.exe) and the server component (ackcmds.dat). Rename the server component from .dat to .exe. The server component has to be executed on the target system. Then run the client component from an ordinary Command Prompt with the target IP supplied as an argument. Now you have a remote Command Prompt. Warning: Running the AckCmd server part will create a backdoor into your computer! You should not use this tool for remote administration since it supports neither authentication nor encryption.
  • Global Pass: Global Pass is a feature-rich application that will allow you to explore the Internet unbothered. It has support for audio and video streaming, and it is optimized for instant messenger clients. It hides your real IP address, making you untraceable, while also encrypting all your connections. The program comes with a simple interface; it is available in multiple languages and does not require installation—just download and run.
  • Your Freedom: The Your Freedom services makes accessible what is unaccessible to you, and it hides your network address from those who don’t need to know. Just download our client application and install or just run it on your PC; it turns your own PC into an uncensored, anonymous web proxy and an uncensored, anonymous SOCKS proxy that your applications can use, and if that’s not enough it can even get you connected to the Internet just as if you were using an unrestricted DSL or cable connection — just like the firewall suddenly went boom! You can even make your PC accessible from the Internet if you like. Nearly all applications work with Your Freedom, and so far no-one has managed to block our service completely and permanently without blocking your Internet access entirely.