CEH 12- Evading IDS, Firewalls & Honeypots

By

What is a Firewall? 

  • A firewall is a software or hardware device. 
  • It secures the internal trusted network form the intruders by monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. 
  • A firewall typically establishes a barrier between a trusted internal network (LAN) and an untrusted external network(Internet). 
 
Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.
  • Types of Firewalls: 
  1. Packet filter firewalls 
  2. Circuit-level gateways 
  3. Application-level gateways
  4. Stateful inspection firewalls 

    1. Packet Filter Firewalls: 

    • Packet filtering firewall is used to control network access.
    • By monitoring outgoing and incoming packets. 
    • Allowing them to pass or halt based on the source and destination IP addresses, protocols and ports. 
    • The packet filtering firewall examines the header of each packet based on a specific set of rules. 

    2. Circuit-level gateways: 

    • Circuit level gateways work at the session layer of the OSI model. 
    • It monitor TCP handshake, to determine whether a requested session is legitimate or not. 
    • Information passed to a remote computer through a circuit level gateway
      firewall appears to be originated at user’s computer. 
    • Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network. 
    • On the other hand, they do not filter individual packets. 

    3. Application-level gateways: 

    • Application-level gateways can filter packets at the application layer of the OSI model. 
    • Application-level gateways examine traffic and filter on application specific commands such as HTTP, POST and GET. 
    • This works on the application layer of the TCP/IP Model. 

    4. Stateful inspection firewalls: 

    • Stateful inspection firewalls combine the aspects of the other three types of firewalls. 
    • They filter packets at the network layer for IP header, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. 
    • Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules. 

    Firewall Products:

    Software
    Hardware
    Lavasoft Personal Firewall
    Windows Firewall
    Netfilter/iptables
    Norton 360
    FortiGate
    Clavister
    WinGate
    Cisco ASA Firepower 

    What is a Honeypot?

    • A honeypot is a computer security mechanism set to detect or deflect attempts at unauthorized access to the information systems. 
    • In other words, it is a simple trap to catch the hackers. 
    • In honeypots, we will emulate the required devices in an environment and we will let attackers come there and try to perform attacks. 
    • But meanwhile, we will get the identity of the attacker. 
    • So that we can take action against attacks. 
    • Honeypots are of two types:
    1. Low Interaction Honeypot
    2. High Interaction Honeypot

    1. Low Interaction Honeypot: 

    • Low interaction honeypots allow only limited interaction for an attacker. 
    • All services offered by a low interaction honeypot are emulated. 
    • Thus, these are not themselves vulnerable and will not be infected by the exploit attempted against the vulnerability.

    2. High Interaction Honeypot: 

    • High interaction honeypots make use of the actual vulnerable service or software. 
    • These are usually complex as they involve real vulnerable operating systems and applications. 
    • In this type of Honeypots, nothing is emulated everything is real and provide a far more detailed picture of how an attack or intrusion progresses or how a particular malware executes in real-time.

    List of honeypots:

    1. Database Honeypots
    2. Anti-honeypots
    3. Service Honeypots
    4. Web honeypots

    What is an Intrusion Detection System (IDS)? 

    • An intrusion detection system (IDS) is a device or software application.
    • It monitors network or computer system operations for malicious activities, policy violations and reports to a controlling station.
    • Capabilities of IDS:
    1. Monitoring the operation of routers, firewalls, key management servers and files that are needed by other security controls aimed at detecting, preventing or recovering from cyber attacks. 
    2. Including an extensive attack signature database against which information from the system can be matched. 
    3. Recognizing and reporting when the IDS detects that data files have been altered. 
    4. Generating an alarm and notifying the security operations team when there is a security breach.
    • IDS detection methods:
    1. Signature-based
    2. Behaviour-based
    • Types of IDS: 
    1. Network-based Intrusion Detection System
    2. Host-based Intrusion Detection System.

    1. Network-based Intrusion Detection System(NIDS): 

    • NIDS is an IDS which can be configured on a network to monitor intrusions. 
    • This will notify the administrators about any possible signature match of attacks.

    2. Host-based Intrusion Detection System(HIDS): 

    • HIDS are the IDS systems which will be configured on the standalone machines. 
    • It will only detect intrusions for that particular machine.
      HIDS might detect which program accesses what resources and discover malicious attempts.
    • For example, a word-processor has suddenly started modifying the system password database, which can be considered as a malicious attempt on sensitive data stored on the host machine. 

    List of IDS: 

    1. Snort IDS 
    2. Cisco ASA Security Agent
    3. McAfee Security Agent 
    4. Palo Alto
    5. SonicWall 
    6. Juniper 

    Whats is an Intrusion Prevention System (IPS)?

    • An Intrusion Prevention System (IPS) is a network security/threat prevention
      technology.
    • It examines network traffic flows to detect and prevent vulnerability exploits. 
    • Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. 
    • Some of the actions perfromed by IPS as follows: 
    1. Sending an alarm to the administrator. 
    2. Dropping the malicious packets. 
    3. Blocking traffic from the source address. 
    4. Resetting the connection.
    • Types of IPS:
    1. Host-based Intrusion Prevention Systems.
    2. Network-based Intrusion Prevention Systems.

    1. Host-based Intrusion Prevention Systems(HIPS): 

    • Host-based Intrusion Prevention Systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. 
    • The software is preconfigured to determine the protection rules based on intrusion and attack signatures. 
    • The HIPS will catch suspicious activity on the system and then depend on the predefined rules, it will either block or allow the event to happen. HIPS monitor activities such as application or data requests, network connection attempts, and read or write attempts.

    2. Network-based Intrusion Prevention Systems(NIPS): 

    • Network-based Intrusion Prevention System is a solution for network-based security. 
    • NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it. 
    • One interesting aspect of NIPS is that if the system finds an offending packet of information it can rewrite the packet so that attempt for the attack will fail.
    • But the organization can mark this event to gather evidence against the intruder, without their knowledge.

    Mitigations: 

    • Perform an in-depth analysis of network traffic to detect all possible threats.
    • Shut down switch ports associated with the known attack hosts.
    • Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches to the IDS.
    • Harden the security of all communication devices such as modems, routers, switches, etc.

    Be Aware, Be Secure.

    Thank You 🙏

    I'm a Cyber Security professional with expertise in Network, Application, Endpoint, Cloud Security, DevOps, and IT Ops. I have experience in various industries and am well-versed in relevant regulations and standards. My goal is to provide exceptional security solutions that protect organizations from evolving threats, while also streamlining workflows and improving collaboration between development, operations, and security teams through DevOps and IT Ops practices.

    Comments

    Post a Comment

    Popular posts from this blog

    Demo 1- How to Track Location by a Link

    By
    Image
    ↑ GPS: GPS stands for Global Positioning System . The Global Positioning System, originally NAVSTAR GPS, is a satellite-based radionavigation system owned by the United States government and operated by the United States Air Force. It is a global navigation satellite system (GNSS) that provides geolocation and time information to a GPS receiver anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Obstacles such as mountains and buildings block the relatively weak GPS signals. Locator v1.0: Locator is a tool developed by "thelinuxchoice".This tool is implemented in Shell Scripting. This tool is implemented in Shell Scripting. Geolocator, Ip Tracker, Device Info by URL (Serveo and Ngrok). It uses tinyurl to obfuscate the Serveo link. Disclaimer:  Usage of Locator for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable lo
    Read more

    Snyk - Ubuntu 20.04 (Linux)

    By
    Image
    In this article, we are going to learn about Snyk, features, and hands-on demo on how to install, usage and uninstall on Ubuntu 20.04(Linux).   Disclaimer:   The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking,  Software Development and  IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. Table of Content What is Snyk ?   Jump to Features   Jump to Hands-On   Jump to Requirements   Jump to Download   Jump to Install   Jump to Usage   Jump to Uninstall    Jump to Cheat Sheet    Jump to    What is Snyk ?  Snyk is a developer security platform for securing code , dependencies , containers , and infrastructure as code .  Integra
    Read more

    Cracking VNC Password Using Hydra

    By
    Image
    Today we are going learn how to crack the password of VNC service using Hydra Tool.  Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. What is VNC? Virtual Network Computing ( VNC ) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol ( RFB ) to remotely control another computer.  What is Hydra? Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, i
    Read more