By Motasem Hamdan — 12 Mar 2024

Firewall Evasion Techniques | Full Tutorial

We covered firewall evasion tactics that are needed when conducting a red team engagement. Firewall Evasion tactics encompass using nmap…

We covered firewall evasion tactics that are needed when conducting a red team engagement. Firewall Evasion tactics encompass using nmap scanner to send modified packets in addition to using networking tools such as Ncat and SSh to perform port forwarding or tunneling.

Video Highlights

A firewall is a piece of hardware or software that watches network traffic and, before allowing or denying it, compares it to a set of rules. A guard or gatekeeper at the entrance to an event is a straightforward analogy. This gatekeeper has the ability to compare an individual’s ID against a list of regulations before permitting them to enter (or exit).

Firewall types based on packet filtering

– Packet filtering firewalls or dubbed as stateless firewalls. These firewalls inspect each data packet as it travels through a network. They decide whether to block a specific packet based on the configured rules.
– Application-layer firewalls can be a physical appliance using its own hardware or software-based installed on another machine, like a plug-in or a filter. These types of firewalls target applications and monitor their behavior. For example, if placed in front of a web server, they can inspect requests for HTTP connections and block abnormal floods of traffic indicating a DOS attack.
– Circuit-level firewalls check whether TCP and UDP connections across a network are valid before data is exchanged. For example, this type of firewall might first check whether the source and destination addresses, the user, the time, and the date meet certain defined rules. Data is exchanged between parties without further investigation when these checks pass, and a session starts.
– Proxy server firewalls or called as web application firewalls. They control the information that goes in and out of a network. This ability means the server can monitor, filter, and cache data requests to and from a network. Firewall proxy servers provide safe and secure internet access to all devices on a network. As depicted in the image below, there can be no communication between the client machine and the internet without the proxy server.
– Stateful firewalls inspect connections on a network. As traffic hits the firewall, it monitors all packets that go through it and stores a combination of information about the packets in a state table. The state table tracks sessions by recording port numbers as sessions start from inside the network and are transmitted outside of the network. Gathering this information helps the firewall recognize what legitimate traffic with the correct port numbers should look like upon its return, thus allowing legitimate replies back into the network.
– Next-generation firewalls perform many of the same functions as stateful firewalls but with more functions from other types of firewalls, such as packet filtering and VPN support. This type of firewall also investigates packets more thoroughly compared to stateful firewalls. For example, a next-generation firewall can examine the payload for each packet and inspect it for suspicious characteristics and malware. Examples include the Juniper SRX series and Cisco Firepower.

Firewalls Classifications

Hardware Firewall: An appliance firewall is a separate piece of hardware that the network traffic has to go through. Examples include Cisco ASA (Adaptive Security Appliance), WatchGuard Firebox, and Netgate pfSense Plus appliance.
2. Software firewall: This is a piece of software that comes bundled with the OS, or you can install it as an additional service. MS Windows has a built-in firewall, Windows Defender Firewall, that runs along with the other OS services and user applications. Another example is Linux iptables and firewalld.