IDS, Firewalls & Honeypots (Whiteboard)

This whiteboard lecture module in our Penetration Testing and Ethical Hacking series explores intrusion detection systems (IDS), firewalls and honeypots. The IDS, Firewall and Honeypot module will teach you about countermeasures and the importance of using “Go To” tools such as “SNORT” for authoring and managing your own intrusion detection rules, and “SPECTER” for mastering how honeypots work so you can combat them. This has got to be one of my favorite sections. This is evading firewall intrusion detection systems and honey pots. One of the reasons why it is my favorite sections is because all of the things the security administrator does and works so hard for I get to show you how we get the go - of their efforts. In that case it is a very pleasing module. So let us take a closer look the basic concepts here are when it comes to firewalls and intrusion detections. Honey pots and things like that - it is knowing the classic places where they are going to place them. It is very, very simple from a security point of view. You are going to place them anywhere where you want to detect stuff. On the funds on the back side of the firewalls in front of servers in front of the DMZ in front of different network segments. So that is pretty predictable in itself so you almost expect that as a pen tester when you are going into it - okay. Not much really there to hide - also hids and hips. Nibs and Nips host intrusion detection - host intrusion prevention and network detection and prevention - it is relatively pretty simple. First we could look at this from the network base - we actually have got to get two targets - then once we get two target depending on what that target is do they have some sort of additional host intrusion detection or prevention software. So once you know that piece of it defensively. Then offensively you can just predict it altogether - then we have got the concepts of port scan from pen testers point of view we are obviously looking for hosts and ports and services to see what is available. Also we want to find out what firewall rules are in place and that is called fire walking. Having a defensive background in computer security for several years. I can assure you that people add tons and tons of firewall rules to their firewalls but very rarely do they review them to see what has been hit. I would ask you when is the last time you have reviewed all your firewall rules to see that 80% of your rules aren't even getting hit. When are you pushing that through change control to get those rules removed because you have got old permit rules in your firewall and I can fire walk and find out they are. I can effectively find a back door to your network. Next let us go on to some intrusion detection prevention style categories. We have a little pneumonic here it is called I past the kilobytes. Now this is a really cool test taking technique because it categorizes these three major types. So let us talk about them - integrity is the first concept that really stands on its own foot. Programs like trip wire, fit in this category and they use - basically a database of SIV or security integrity verifiers to detect all of the files in the system what has integrity and if something changes the hash changes and therefore you get alerted. So integrity based systems have been around for a while but they are very rarely implemented because there is not the most popular ones. But trip requires definitely paves the path with this technology and still one of the greatest players. The next category is signature and knowledge based systems. We call these rule based systems - this is where someone has to have the knowledge to actually write a signature. So the good part about this is - if the defensive persons does not have the knowledge to write this signature. There is no rule set - there is no update to detect the malicious traffic. Which is the second type there are definitely the easiest types of intrusion detection systems to defeat because if there is no knowledge of the exploit there is no detection. The third category would be profile - statistical believer now these are realistically different words for the same thing. The different engines have been pioneered over the years. Some people call this profile analysis - some people called an anomaly analysis, some people call it behavior analysis or whatever. It is realistically the same thing this is typically host intrusion detection systems as well or prevention systems. This is where you put your computer in learning mode. It learns what good behavior is and then once it knows what good behavior is you put it in detecting mode. And anything that it doesn't recognize is good - you get an alert on it. So this does respond very, very well to false positives or things that you don't have the knowledge to write the rule for. So let your third category of systems. This is a great test taking technique as well because a lot of these style test questions are like three of the answers are profiles in statistical and maybe one of the other answers is knowledge or signature test questions are often written like which one of these is not like the other. Next let us go into firewall architecture it is very, very helpful to know the most common types of firewall architecture there. So the first thing is a bashing host or a hardened host and this typically sits inside their demilitarization zone. it is a host that specifically has a reduced surface area attack and is often a relay or jump point. So if it is done properly nobody will be able to exploit that and use that as a pivotal or a relay point. The next concept would be a screen subnet and this is realistically close to the DMZ architecture but it is a firewall or a multi honed firewall which basically has another subnet offer to the side and that separate subnet would be used to house some sort of architecture like a web server or database or a proxy server or fun and radius or something like that radius client. Next is the multi home that simply means like a custom built machine with multiple network adapter cards that is easy. Then it is your classic DMZ and easy to think about that because you have your private network on the inside and you have your public network on the outside and in between that is where you host all of your security devices. So it is kind of like an over lapping security because you don't want the people from the outside to get too far into the internal network and you also want to control the internal network and so I think of this overlapping boundaries. So to speak but this is definitely the most classic architecture at least in the corporal world. Next would be packet filtering devices which are really not intelligent at all they simply make very simple decisions on ports and protocols. Source and destination ports and protocols then I would go into circuit gateways these aren't that intelligent because they don't look at application layer data. They look at everything as a session or a circuit. So you don't get any application specifics and on these types of devices. You do want to after the application because the circuit gateway is not going to really detect anything specific inside the application where the counter measure to that would be used application gateways or proxy servers or this is where we get the concept of deep packet inspection. Any time you are in deep packet inspection you can completely tear apart the packet analyze it for malicious behavior or package it backup and then of course alert or whatever you are doing with the proxy server. I would consider in that category and then stateful packet inspection this is very similar packet filtering but in addition to just filtering source and destination IPs and ports. It also keeps track of the TCP state of the conversation. Therefore if something goes wrong, it can reset the connection, shun the host, send it to antivirus quarantine it or lock it up with network access control or something like that. Next let us go into the different types of the attacks between firewalls and intrusion detection systems. Some of these are evasion oriented techniques. You have to really got to watch out for intrusion detection networks because they typically use a centrally logged server and if that server is on the public network well then it is subject to a denial of service attack. If I can denial service it. I can effectively shut off logging. The next concept would be obfuscation and this is where we try to hide what we are doing by using a different character set or different encoding scheme like ASCII or UTF or some other encoding scheme because if you are looking for just ASCII code. If I send it in another character language well then you are not going to have the knowledge to detect that specific code. So you hide it by obfuscating, one small thing to remember about obfuscation is it is not some symmetric encryption. Just because you can't see it or you can't read it does mean that it is not encrypted. Remember encryption we change plan text and cipher text and of course text. Another thing you can do from a attacking point of view is to just clear a whole bunch of false positives. And hopefully the intrusion detection analyst will tune out that alert therefore once they tune it out. We are no longer looking at it - you can do what you want. Sessions splicing when you go through a network you have to go through a detection system. If you can splice different channels or I don't want to say frequencies but different channels of information then what happens is you can put together the combination in the two separate channels and therefore fools the intrusion detection system. Unicode evasion another great technique fragmentation - you will see this also on firewall attacks. This is another great technique and there is plenty of tools that we can use that we will look at and Kali operating system. Manipulating time to live this works great on firewalls as well. Also urgent flags this is good because it basically tells your destination system. Hey I have got really, really important stuff please send me your application and sometimes urgent traffic isn't processed by a host based system. Therefore you can go right up to the application and exploit the system and hids it doesn't pay attention. Well polymorphic shell code. Poly meaning many, morphic meaning changes so this is shell code that changes its signature all the time to avoid detection and there is a couple of really, really good algorithms that we will talk about when we talk about MetaSplit. Also encryption intrusion detection systems can't read encrypted stuff because they don't have a copy of the symmetric encryption key. So therefore by default at least generically stated they don't typically read encrypted data or simply flooding the actual IBS in itself or the centrally logged server. So let us move on to firewall attacks - well the most obvious ones here is going to be spoofing your IP address. If I know what you are filtering in terms of source addresses. All I have to do is get on that permit side of that rule and therefore if I spoof my source address - boom I can get right to the firewall. Kind of outdated technique but you will find very few circumstances for this actually does work because source routing has been disabled for quite some time now. But if you can choose the route from the actual source in itself. You could bypass a firewall or IVS. Fragments as well over here just like we talked about with the intrusion detection. Instead of going through a URL and using a fully qualified domain name, take out the domain piece and put it out on IP address. That sometimes can fool firewalls. Plus you have plenty, plenty of anonymous style websites that attempt to hide the true source of the traffic which is basically another way of saying proxying. Then you have all of these different tunneling concepts this is definitely advanced penetration testing because I know tons of penetration testers but not all of them can do the tunneling exploits. So this is where we do things like hiding of the traffic of legitimate ICMP traffic or legitimate acknowledgement traffic or legitimate http traffic. So therefore if http is allowed then our traffic which is exploiting in the process also goes right through and then of course. The classic men in the middle attack – so then we could switch gears to honey pots. This is another subject matter that not a lot of security professionals have experience with. It definitely sets a part of your expertise in low interaction or high interaction honey pots. Low interaction there is not much you can do with them they just basic profiling purposes where high interaction honey pots. These specifically allow full exploitations of those systems like cementing decoy server is a great example of high interaction where something like Spector is basic low interaction. Also to become an expert here - you absolutely without a doubt must understand how to use snort 1. a packet sniffer 2. An intrusion detection device or ruleset and then writing your ideas - absolutely critical if you really claim to be a security engineer or analyst or any sort of pen tester. You have to know snort if you don't you are not my top 5 people I would call to exploit stuff and then of course specter is a great honey pod for you to learn and profile and get the basics of honey pots. You can do these in virtual machines - great experience - this is some of the back ground basics is on exploiting system and evading systems and evading firewalls on IVS but you were going to try to stop me doing this how would you do it. Well first piece shut down your ports simply stated limit the surface area of attack. The more information you give me the more I am going to have my way with your systems. It is just that simple. So you should harden your systems - reduce that surface area of attack. Concentrate on not disclosing anything to me. Not allowing me to change anything - not allowing me to manipulate access control or anything like that. Therefore it limits what I actually can do to your network. I have seen the largest networks compromised. People walk right through them like they own the place and we are talking very, very large well-funded networks. Walked in exploited in hours. Use defense in-depth layers of defense every time you put a layer of defense in there I have to go to feed that layer. 1. I have to go to identify the layer. i have to dissect it figure out how to defeat it and then I ultimately try a variety of techniques to defeat it. So the more layers the more defense you have, the more defense you have the better off you are. Also TCP reset - learn to quarantine traffic. If you can quarantine a handful of traffic and put it in a basically a sandbox of some sort. Well then all of a sudden I find myself in the time out box and that of course limits. What I can do as a pen tester - also learn to detect buffer overflows or polymorphic shell code or what we call a classic 0x90 ASCII shell code. Learn to detect that stuff analyze your networks profile it and basically build your own profile. What good behavior is versus bad behavior. Make sure that your absolutely up to date on the latest and greatest patches as quickly as possible because if it takes you six months to go the patch management process while that is a six month I head start. I have to break into your network and lastly hire me. Now this wasn't necessarily me specifically. But hire a penetration tester to come in evaluate your networks and your system, you host your applications, either from a white hat grey hat or black hat point of view and learn to work with people like us. Because we are wiz kids that learn how to do all of this stuff to break into your network in advance on your term and then explain to you how we did it and also explain to you. How you could have stopped us? So hiring someone like ourselves is a great counter measure - lot of people – it is out of sight it is out of mind. We call this the ostrich technique where you are literally sticking your head in the sand. Stop it - learn to get expert opinions and advice and work with us. We will be happy to work with you because I don't know too many pen testers that are pretty silent. Most of us have - we love to talk - if we haven't figured that out already. So we would be happy to tell you all the things about your network that you didn't already know. So let us go ahead and take a look at some hands on examples.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?