Evading Firewalls

Guide to Evading Firewalls for the CEH Exam

Understanding Evading Firewalls in CEH

Firewalls are crucial security components that monitor and filter network traffic based on predetermined security rules. Understanding how attackers attempt to bypass these defenses is essential for ethical hackers and security professionals.

Why is Understanding Firewall Evasion Important?

1. Security Testing: Ethical hackers need to know evasion techniques to test firewall effectiveness.
2. Defense Enhancement: Knowledge of evasion tactics helps improve firewall configurations.
3. Threat Awareness: Security professionals must stay ahead of attacker methodologies.
4. Certification Success: This topic appears frequently in CEH exams.

Common Firewall Evasion Techniques

1. IP Address Manipulation:
- IP Spoofing: Falsifying source IP addresses
- Proxies/VPNs: Routing traffic through intermediary servers

2. Port-Related Techniques:
- Port Scanning: Identifying open ports or misconfigured rules
- Using Non-standard Ports: Running services on unexpected ports

3. Protocol Exploitation:
- Tunneling: Encapsulating restricted protocols inside allowed ones (SSH, DNS, ICMP tunneling)
- Fragmenting Packets: Breaking data into smaller pieces to avoid inspection

4. Application-Level Evasion:
- Using Encrypted Traffic: HTTPS, SSL/TLS to hide malicious content
- Protocol Encapsulation: Hiding prohibited protocols within allowed ones

5. Technical Approaches:
- Source Routing: Specifying the path packets take through network
- ACK Scanning: Sending ACK packets to bypass stateless firewalls
- HTTP/FTP Tunneling: Encapsulating traffic within permitted protocols

Tools for Firewall Evasion

1. Nmap: For port scanning with evasion techniques (-f flag for fragmentation)
2. HTran: For TCP proxy connections
3. Proxychains: For routing traffic through proxy servers
4. Metasploit: Contains various evasion modules
5. Covert_TCP: For hiding data in TCP/IP header fields

Exam Tips: Answering Questions on Evading Firewalls

1. Know the Terminology:
- Understand terms like "tunneling," "fragmentation," "spoofing," and "encapsulation"- Be familiar with stateful vs. stateless firewall differences

2. Recognize Evasion Scenarios:
- Identify which evasion technique works against specific firewall types
- Understand which protocols are commonly used for tunneling

3. Tool Identification:
- Know which tools perform specific evasion techniques
- Remember Nmap flags for evasion (-f, -D, --source-port)

4. Protocol Understanding:
- Know which protocols are typically allowed (HTTP, HTTPS, DNS)
- Understand which protocols are commonly restricted (Telnet, FTP)

5. Security Perspective:
- Always approach questions from both attacker and defender viewpoints
- Consider ethical implications and legitimate testing scenarios

6. Read Carefully:
- Questions may include subtle details about firewall types
- Look for clues about whether the firewall is stateful, application-layer, or next-gen

7. Common Question Types:
- Scenario-based: "An attacker wants to bypass a firewall that blocks all ICMP traffic. Which technique would work best?"- Tool-based: "Which Nmap option helps evade firewalls by fragmenting packets?"- Concept-based: "Which evasion technique involves breaking packets into smaller pieces?"
Remember that the CEH exam focuses on practical applications and real-world scenarios. Focus on understanding not just the techniques themselves but when and why they would be used in legitimate security testing.