Evading Firewalls and IDPS and Creating ACLs

Spread the love

Introduction

The global network is defined with huge information that has been used in education, research, and the gaining of the information. At the time, the access to information is at time regulated despite the net neutrality principle which defines that users should have the freedom of accessing the internet services without any biases. The regulation and controlling of the access to some other sites is applied with the use of a firewall. The firewall has been used for providing protection to the network and this result into blocking access to some other internet content. Evading firewall defines the use of defined techniques to bypass the firewall rules to have the access to the global network content or nay other content. Through the application of penetration testing, it is learned of the systems installed behind the firewall that blocks the access to information, and this demands the techniques used in penetration testing to evade the firewall rules to have the discovery of the information regarding the host.

As a matter of evading the firewall, there are also the intrusion detection- prevention systems (IDPS) which have the duty of taking track of the users of the network so as to have the identification of the unauthorized and non-authenticated users from getting connected to the network to access the information. It requires that the intrusion detection- prevention systems (IDPS) are also invaded to have the full address of the data. The research takes a cut across of the Nmap techniques that are applied in both evading of the firewall and the intrusion detection- prevention systems (IDPS) installed within the network to control the information access. There are several options offered by the Nmap as far as firewall invasion is concerned (WordPress.com, 2012).

The Nmap techniques for firewall and intrusion detection- prevention systems (IDPS) invasion

Fragment packets

At times, firewalls are not configured well, and this provides a loop to the adoption of such fragment packets. The technique is old and has been used over time in the network that has poorly and less configured firewalls and the intrusion detection- prevention systems (IDPS). The Nmap enables the fragmentation of the packets during the scanning process of the –f option which results to the packet being bypassed by the packet inspection done by the firewall. During the scan, the packets are sending with the 8-byte size during the scan process as outlined. This is only applicable in firewalls that have no extended security configuration modules.

Specify a specific MTU

The maximum transmission unit (MTU) can be sent to the packets within the traffic by the user. The technique of specifying a specific MTU is almost similar to the previous old technique of the packet fragmentation. This technique provides some specification of the packets size during the transmission. During the scanning packets are created based on the defined number such that if the user uses the 24 number, then the Nmap model will create the 24byte packet. The size number opts to confuse the firewall. The number applied user must be a multiple of 8. The specification of the maximum transmission unit (MTU) can be done by command –mtu number target.

Use Decoy addresses

This type of technique enables the spoofing of the packets from the other hosts during the scanning process. The spoofing extracts not only the IP address but also the addresses of the decoys. The technique provides the hardship in determining the system from which the scan was started. The only options applied in the scanning includes the nmap _D RND:10[target] for the random generation of the number of decoys or the manual specification of the decoys that uses the command; nmap _D decay1,decay2, etc. the technique is good application when the decoys are online.

Idle Zombie Scan

The idle zombie scan enables the user to use/ apply the other host that is idle on the network to perform port scans on another host. There is a hardship in the recording of the user IP address as the firewall log will take the record of the zombie address making the technique very stealthy. The methods are well applied when the user found the idle hosts on the network. The identification of the host that are idle on the network is made using the Metasploit framework that ahs scanner that facilitates the discovery of the hosts. The implementation of the idle zombie scan requires the command of nmap _sI [Zombie IP][Target IP]

Source port number specification

The technique takes the advantage of the common error that is done by the system administrators during the firewall configuration. The setting involves the setting of the protocol to enable the all incoming traffic to have a specific port number origin. The misconfigurations can be exploited by the nmap command of –source-port. Also, the commonly applied ports are the 20, 53 and 67.

Append random data

The technique enables the stoppage of the inspecting the packets. The packet inspection is dependent on the packet size for the port scan identification. The detection of packets can adopt the command of –data-length that is applied in adding information to the packets thus changing the size of the packet and this gets the firewall not to detect the port scan.

Creation of ACLs

Access Control Lists (ACLs) are important in network security management. There are some ways of creating the ACLs. In the creation of extended or standard ACLs, a wildcard mask is used for the identification of addresses and the devices that the ACL is to affect. In the use of wildcards, the focus is placed on the location of the ones and not those of the zeros in a subnet mask. Since the concern is on the access of hosts to a resource, the wildcard focuses on the ones. Despite the focuses on the ones, the wildcard still has zeros, but the difference is that the ones are located to the right and the zeros to the left. In the case of Class C block e.g. 192.168.6.0/22, with the focus on a subnet mask such as 255.255.255.0, the focus will be on 0.0.0.255 (Tetz, 2016).

There are a series of entries that make up ACLs. There is numbering for each ACLs with all entries found in one list having equally same numbers. The addition of entries to a list automatically places the new entries made to the list at the bottom except for an implicit entry which is added at the bottom of each list that is often a deny all. The following is a structure of an Access Control Entry (ACE) in each configuration:

access-list<number><access><source network or host ID><wildcard mask>

If a single entry ACL giving permission to the hosts a Class C network of 192.168.6.0 is to be created, then the completed ACL will be:

access-list 10 permit 192.168.6.0 0.0.0.255

access-list 10 deny any

In the first ACL, bottom line will not be appearing in in the Access Control List. And if a show command in applied to view the ACL, the following will be seen:

 

Switch1>enable

Password:

Switch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch1(config)#access-list 50 permit 192.168.6.0 0.0.0.255

Switch1(config)#end

Switch1#show access-list 50

Standard IP access list 50

permit 192.168.6.0, wildcard bits 0.0.0.255

To add another entry to this list, the same command is used. To add the block of 192.168.9.0/24 to the ACL with a permit:

Switch1>enable

Password:

Switch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch1(config)#access-list 50 permit 192.168.9.0 0.0.0.255

Switch1(config)#end

Switch1#show access-list 50

Standard IP access list 50

permit 192.168.6.0, wildcard bits 0.0.0.255

permit 192.168.9.0, wildcard bits 0.0.0.255

Access lists should be created before applying them to the interface because application of an access list that does not exist in the interface and configuring the list puts the implicit deny statement which is an imminent source of problems. Every access list requires not less than one permit statement. If this is not the case, no traffic is allowed which ends up denying all packets.

In summary, the following steps are followed in creating access lists (CISCO, 2016):

  • enable
  • configure terminal
  • ip access-list standard name
  • remark
  • deny {source [source-wildcard] |any}[log]
  • remarkremark
  • permit{source[source-wildcard] |any}[log]
  • steps 4 through 7 are repeated until all the sources on which the access list is based are specified.
  • end
  • showip access list

 

References

CISCO. (2016). Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S. Retrieved June 03, 2016, from cisco.com: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html

Tetz, E. (2016). Creating Standard Access Control Lists (ACLs). Retrieved June 03, 2016, from www.dummies.com: http://www.dummies.com/how-to/content/creating-standard-access-control-lists-acls.html

WordPress.com, (2012). Penetration Testing Lab: Nmap – Techniques for Avoiding Firewalls. Retrieved June 03, 2016, from https://pentestlab.wordpress.com/2012/04/02/nmap-techniques-for-avoiding-firewalls/



© 2021: Edubirdie.website, All Rights Reserved | Innovation Theme by: D5 Creation | Powered by: WordPress
error: Content is protected !!
Whatsapp Us