Future Skills Fiesta:
 Get up to 30% OFF on Career Booster Combos
AVAIL NOW
D H M S

CEH Module 12: Evading IDS, Firewalls, and Honeypots (Part-2)

Author by: Pooja Rawat
Feb 12, 2025 524

CEH Module 12

What is a Firewall?

A Firewall functions as a protective barrier for your computer network, monitoring and controlling incoming and outgoing traffic to safeguard against potential threats. Imagine your home with a locked gate that controls who can enter and leave—this is essentially what a firewall does for your digital space. Some of the key features include:

  • Intrusion Detection: Firewalls can detect suspicious activities based on your organization’s security policies and can be adjusted to respond to new threats.
  • Email Security: They can restrict access to certain email services to prevent spam and unauthorized emails.
  • Security Audits: Firewalls can perform checks on inbound traffic and keep logs of all activities. These logs help administrators track and respond to security incidents.

How Does It Work?

  • Location and Purpose: Firewalls are installed at the gateway between your private network (like your home or office) and the public internet. They safeguard your network against unauthorized access by examining both incoming and outgoing data.
  • Message Inspection: Every piece of data, or “message,” that tries to enter or leave your network is examined by the firewall. If a message doesn’t meet the security standards, the firewall blocks it.
  • Traffic Monitoring: Firewalls have tools to monitor the flow of data traffic. They check if the data packets are safe and decide whether to allow them to pass through or not.
  • Network Filtering: They filter traffic at the network level, working closely with routers to ensure that only safe data reaches its destination. This helps prevent unwanted requests from accessing your network directly.

Understanding Firewall Architecture

Below are the the different elements that make up firewall architecture:

Bastion Host

A bastion host is a hardened server specifically configured to resist cyber threats while enabling secure connectivity to a private network from an external source, such as the Internet. It acts as a fortified gateway, controlling and monitoring access to internal resources. Typically, a bastion host is placed outside the firewall to serve as the sole entry point for authorized users.

A bastion host is like a mediator that defends your network against attacks. It stands at the boundary between your private network and the outside world (the internet). This specially configured computer system has two interfaces:

  • Public Interface: Directly connected to the internet, it handles incoming and outgoing traffic.
  • Private Interface: Connected to the intranet, it manages internal network traffic.

By scrutinizing all traffic, the bastion host ensures that only safe data enters or leaves your network.

Screened Subnet (DMZ)

A screened subnet, or a Demilitarized Zone (DMZ), is a protected network segment. It’s like a buffer zone between your internal network and the public internet. Here’s how it works:

  • Two- or Three-Homed Firewall: This setup uses one interface for the internet, another for the DMZ, and a third for the intranet.

Two- or Three-Homed Firewall

  • Public Requests: The DMZ handles public requests without exposing the internal network. If the DMZ is compromised, the internal network remains safe.

The advantage is that you can respond to public requests securely without risking your internal systems.

Multi-Homed Firewall

A multi-homed firewall connects to multiple networks using multiple network interface cards (NICs). This setup enhances network efficiency and security. Key features include:

  • Multiple Interfaces: Each interface connects to a different network segment, improving segregation and security.
  • Subdividing Systems: More than three interfaces allow for detailed segmentation based on specific security needs. This setup typically includes:

1. Public Interface: Handles external, internet-facing traffic with strong protections like firewalls.
2. DMZ (Demilitarized Zone): A buffer zone hosting services that need public access, such as web servers.
3. Internal Interface: Connects to sensitive data and applications, protected from direct public exposure.
4. Management Interface: Used solely for administrative tasks, ensuring isolated and secure access.
5. Data Processing Interface: Dedicated to data analytics and processing, isolated from public and internal networks.

This architecture provides deeper protection, especially with the back-to-back firewall model, ensuring comprehensive security across network segments.

Types of Firewall

Types of firewalls are hardware and software.

Hardware Firewalls

Hardware firewalls are physical devices installed at the boundary of your network. They can be part of a router or a standalone device. They use predefined rules to determine whether to permit or block network traffic.

Advantages:

  • Security: Provides robust protection by operating independently of your computer’s operating system.
  • Speed: Processes data quickly, handling large amounts of traffic efficiently.
  • Minimal Interference: Being a separate component, it can be managed without affecting the overall network performance.

Disadvantages

  • Cost: More expensive than software firewalls.
  • Complexity: Can be difficult to implement and configure.
  • Space: Requires physical space and involves cabling.

Software Firewalls

Software firewalls are applications installed on individual computers or servers. They regulate and manage incoming and outgoing network traffic according to security policies.

Advantages

  • Cost-Effective: Generally less expensive than hardware firewalls.
  • User-Friendly: Easier to install and configure, ideal for personal or home use.

Disadvantages

  • Resource-Intensive: Uses system resources, which can slow down the computer.
  • Limited Scope: Protects only the device on which it is installed, not the entire network.

Firewall Technologies

Firewalls operate across different OSI (Open Systems Interconnection) layers to provide security at various network and application levels.

Firewall Technologies

1. Packet Filtering Firewall: Packet filtering firewalls analyze packets at the network layer and filter traffic based on predefined rules. It is like a gatekeeper that checks specific details in each data packet, such as the source and destination IP addresses, port numbers, and protocol types. Only packets meeting the rules are allowed; others are blocked. This is similar to a bouncer at a club checking IDs and only allowing guests on the list to enter.

Key Features:

  1. Source and Destination IP Address Verification: Determines where the packet is coming from and where it’s headed.
  2. Port Verification: Ensures only specific service ports (like HTTP or FTP) are accessible.
  3. Protocol Check: Verifies if the packet uses a permitted protocol, like TCP or UDP.
  4. Direction Check: Decides whether traffic is allowed to enter or leave a network based on direction.

Strengths: Simple and fast, packet filtering firewalls are effective for basic access control and filtering out unwanted traffic.

Limitation: Packet filtering doesn’t inspect the content of data, meaning it can miss certain types of malicious activity embedded within allowed protocols.

2. Circuit-Level Gateway Firewall: Operating at the session layer, circuit-level gateways are like hotel front desks that authenticate guests and then give them a pass to move freely inside. They don’t inspect the data content but create a circuit to ensure the connection is established from a legitimate source. This firewall type is especially useful for verifying TCP handshakes, ensuring that only valid connections are established.

Key features:

  1. Session Validation: Establishes a connection if the initial handshake is legitimate.
  2. IP Address Masking: Masks internal IP addresses by passing traffic through the gateway, making it appear as if the traffic originates from the gateway itself.

Strengths: Provides a layer of anonymity to internal devices and prevents direct access from untrusted networks.

Limitations: Lacks the ability to inspect packet content, making it less effective against data-specific threats.

3. Application-Level Firewall (Proxy Firewall): Application-level firewalls, commonly referred to as proxy firewalls, function at the application layer. They’re like a dedicated concierge service—handling specific requests on behalf of users. Instead of allowing direct connections, they intercept requests, analyze the data, and then forward it if deemed safe. This approach is highly secure as it can examine application-level commands and block malicious actions.

Key features:

  1. Content Inspection: Filters traffic based on specific applications and protocols (e.g., FTP, HTTP).
  2. User Authentication: Ensures that access to specific applications is restricted to authorized users only.
  3. Content Caching: Reduces network load by caching frequently accessed resources.

Strengths: High level of security with the ability to detect malicious commands or traffic at the application level.

Limitations: Can be slower due to deep packet inspection and might require more resources than other firewall types.

4. Stateful Multilayer Inspection Firewall: Stateful multilayer inspection firewalls combine the benefits of packet filtering, circuit-level gateways, and application-level filtering. They monitor the entire state of active connections, inspecting packets at various OSI layers. Imagine it as a vigilant security team that not only checks IDs at the entrance but also monitors guest activities inside, ensuring they remain compliant with the rules.

Key features:

  1. Connection Tracking: Keeps track of active sessions, allowing only packets related to those sessions.
  2. Deep Packet Inspection: Examines packet contents at multiple layers for enhanced security.

Strengths: Versatile and robust, this firewall type provides comprehensive security across various layers, making it effective against a range of threats.

Limitations: It requires more processing power, which can impact network speed and increase operational costs.

5. Application Proxy: An application proxy acts as an intermediary between users and the services they wish to access, providing a buffer zone for security. Think of it as a receptionist who screens calls before connecting you to the person you’re calling. The proxy forwards user requests to the internet and then relays the response back, protecting internal network details from being exposed.

Key features:

  1. Request Forwarding: Acts on behalf of the user, masking internal details.
  2. Service-Specific Proxies: Can limit access to particular services like FTP or HTTP, providing customized security.

Strengths: Enhances security by controlling what the outside network can access in the internal network and often includes caching to improve performance.

Limitations: Not always compatible with every application and may introduce delays in accessing services due to added layers of security.

6. Network Address Translation (NAT) Firewall: NAT firewalls modify IP addresses of outgoing and incoming packets, making it look like they come from the NAT device itself. This is like using a PO Box instead of your home address to protect your privacy. NAT helps conserve IP addresses and enhances security by hiding internal IP addresses from the outside world.

Key features:

  1. Address Translation: Changes internal IPs to a public IP, protecting internal addresses.
  2. Port Mapping: Allows multiple devices on a local network to share a single public IP address.

Strengths: Provides anonymity for devices on a local network and limits the exposure of internal addresses to external threats.

Limitations: Some applications may not function correctly under NAT, especially those requiring consistent IP information, such as certain VoIP services.

7. Virtual Private Network (VPN) Firewall: A VPN firewall uses encryption to secure data as it travels over public networks, creating a “virtual tunnel” for safe data transmission. Imagine sending a letter in a sealed, tamper-proof envelope—it’s protected from prying eyes until it reaches its intended recipient. VPNs don’t inherently act as firewalls but can integrate firewall functionalities to ensure data security.

Key features:

  1. Traffic Encryption: Protects data integrity by encrypting all traffic.
  2. Remote Access Security: Allows secure remote access, essential for telecommuting and remote work environments.

Strengths: Provides a secure means of accessing private networks from anywhere with internet access, hiding sensitive data from potential eavesdroppers.

Limitations: VPNs can be slower due to encryption overhead and may expose users to attacks if not properly configured on public networks.

Honeypots

Understanding Honeypots: The Decoys in Cybersecurity

A honeypot is a computer system designed to attract and trap cyber attackers. It acts like a decoy, luring hackers away from your real, valuable data. Here’s how it works:

  • Attraction: The honeypot is set up to look like a real, vulnerable system that attackers would want to access.
  • No Real Value: It doesn’t have any real production data or activity, making it clear that any interaction with it is likely malicious.
  • Logging Activity: It tracks and logs everything an attacker does, including port access attempts and keystrokes, which can provide early warnings of an attack.

How Does It Work?

The honeypot is placed in a part of the network called the DMZ (Demilitarized Zone), which is a buffer area between the internal network and the internet. Here’s a step-by-step look at its operation:

  • Setup: The honeypot is installed on a system and configured to look like a legitimate target.
  • Monitoring: It sits quietly, waiting for unauthorized attempts to access it.
  • Logging: When an attacker tries to breach the honeypot, all their actions are logged.
  • Analysis: Security teams analyze the logs to understand attack methods and improve defenses.

Types of Honeypots

Honeypots are like bait for cyber attackers, set up to detect, deflect, and study hacking attempts. They come in different types based on their design and interaction levels.

1. Low-Interaction Honeypots: Low-interaction honeypots simulate only a few services and applications of a real system. They are simple and easy to manage but provide limited interaction. They act as early warning systems and help gather data on attack methods.

Examples:

  • Specter: Monitors suspicious activities and identifies potential threats.
  • KFSensor: Attracts attackers by simulating vulnerable services, then monitors and logs their actions.
  • Honeytrap: Observes attacks on specific ports and logs the data for analysis.

2. Medium-Interaction Honeypots: Medium-interaction honeypots simulate a real operating system and a broader range of applications and services than low-interaction honeypots. They provide more detailed information about attacker behaviors without the full complexity of high-interaction honeypots.

3. High-Interaction Honeypots: High-interaction honeypots simulate all the services and applications of a real system. They are complex and provide a deep insight into attacker tactics, techniques, and procedures (TTPs).

4. Pure Honeypots: Pure honeypots emulate the entire production network of an organization. They are used primarily for extensive research and gather large amounts of data.

Deployment Strategies

  • Production Honeypots: Deployed within an organization to detect and analyze attacks in real-time.
  • Research Honeypots: Used by researchers to gather data on emerging threats.

Deception Technologies

Honeypots can be specialized to attract specific types of cyber threats:

  • Malware Honeypots: Capture and analyze malware by simulating known vulnerabilities.
  • Database Honeypots: Fake databases that lure attackers to perform SQL injection attacks.
  • Spam Honeypots: Attract and study spammers.
  • Email Honeypots: Fake email addresses that capture malicious email attempts.
  • Spider Honeypots: Trap web crawlers and gather data on web scraping activities.
  • Honeynets: Networks of honeypots that provide extensive data on attack methods.

Master CEH with InfosecTrain

Understanding how to evade Intrusion Detection Systems (IDS), firewalls, and honeypots is a crucial skill in ethical hacking. These security mechanisms serve as the first line of defense against cyber threats, and Ethical Hackers must learn how to bypass them to conduct comprehensive security assessments. By mastering firewall penetration tactics, deception avoidance techniques, and network security evasion strategies, professionals can simulate real-world attacks and help organizations strengthen their defenses.

The Certified Ethical Hacker (CEH) training course by InfosecTrain provides an in-depth understanding of these evasion techniques. This course covers advanced IDS evasion methods, firewall bypass strategies, and honeypot deception techniques through hands-on labs and real-world scenarios. With expert-led training, participants gain practical experience in ethical hacking, penetration testing, and cybersecurity defense.

CEH v13 AI Certification Training

Whether you are a Security Professional, Network Administrator, or Penetration Tester, InfosecTrain’s CEH certification training equips you with industry-leading skills to identify security weaknesses and fortify organizational defenses. Take your ethical hacking expertise to the next level—enroll in InfosecTrain’s CEH training today and master the art of security evasion!

TRAINING CALENDAR of Upcoming Batches For CEH v13

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
15-Feb-2025 30-Mar-2025 09:00 - 13:00 IST Weekend Online [ Close ]
24-Feb-2025 27-Mar-2025 20:00 - 22:00 IST Weekday Online [ Open ]
02-Mar-2025 12-Apr-2025 19:00 - 23:00 IST Weekend Online [ Open ]
23-Mar-2025 03-May-2025 09:00 - 13:00 IST Weekend Online [ Open ]
06-Apr-2025 24-May-2025 09:00 - 13:00 IST Weekend Online [ Open ]
TOP