Abdelrahman Mohamed Elsheikh's Blog
Firewalls and Honeypots

Firewalls and Honeypots

Abdelrahman Mohamed Elsheikh's photo
Abdelrahman Mohamed Elsheikh
·

4 min read

Introduction to firewalls

Firewall

  • is responsible for protecting the internal network of any organization from any attacks by filtering in/out traffic.

  • It performs investigation processes on the traffic based on some criteria/rules to allow some traffic to pass or prevent it from passing.

  • It can be software on some host/device in the network to filter its only traffic = (Host-based Firewall)

  • It can be separated hardware box and filters the whole traffic in the network = (network-based Firewall)

  • Firewalls can be located between internet & DMZ to filter this traffic

  • Firewalls can be located between internal network & DMZ to filter (secure) this traffic from (insider) some in the company

Early Negation:

  • Stopping the attack before reaching the firewall at all.
  • High security level

Normal Negation using firewall :

  • very good security level

    Entered private net (Crossed Firewall):

    • Alert

Firewall Filtering Techniques

Packet Filtering

  • Uses ACL (Access Control List) which is about( rules or criteria) to filter the traffic.

  • Access Control List (ACL) Allowed Not Allowed Protocols Protocols
    Port Numbers Port Numbers IP Addresses IP Addresses

Then, the firewall is investigating every packet and comparing the header of every packet with ACL and performs an actions depending on this comparison.

i.e. it can allow web port 80 traffic and stops telnet port 23.

Configuration of this type of filtering of firewall should be Clear and obvious

Stateful Inspection

track connection moving through firewall and keeps traffic information in state table traffic information like (Source IP - Destination IP - Port Number - TCP Or UDP)

Firewall keeps this info from every packet sent and if received/returned packet (reply) info is identical to which was sent then, it's ok [let pass] Or [Stops] this packet.

A possible risk: when a direct connection happens between a device in the network and outer systems this packet will expose internal network IP to any attacker who can exploit such IP.

Proxy Firewall

it is an intermediary layer between my network devices and internet, so any request sent from the internal network will be redirected by the proxy server which changes IP and go.

Firewall can also hides the internal network IP address by NAT

Configuring Firewall Rules

As a security admin implementation firewall rules in the form of ACL to be able to do filtration process

Example
Permit or Deny - Prot - Src IP - Src Port - Dest IP - Dest Port
permit - TCP - 163.121.25.10 - 2050 - 163.121.11.12 - 80

This means that applying this only one rule any other rules will not permitted

Bypassing Firewall

  • Firewall is a good tool (software) to protect the network but not one-size-fits-all solution as it can be hacked too :( using some

  • Applications (peer-to-peer software) which allows you to share files from a device to other devices on the internet through a dedicated-network to this program.

  • The word Bypassing means the following :
    if a packet came to the firewall with (not-allowed-bit-torrent) port "6881" for example, it will try other ports until it finds an allowed one (port 80) and passes the firewall normally as nothing happened.

The device sharing its files in this way makes its data exposed on the internet.

  1. Restrictive Configuration: Restrictive Configuration on some type of traffic needed by users which violates availability concept (CIA) we've discussed before

    this will let users use modem in the network to access the internet through connecting to ISP and skipping any firewall in the organization.

Notes ON Telnet

(1) - Telnet is a network protocol used to establish a remote terminal session between two computers over a network.

(2) - It allows a user to log into a remote computer and execute commands as if they were directly connected to that computer's console.

(3) - Telnet is primarily used for remote administration, troubleshooting, and accessing text-based applications on remote systems.

(4) - However, it is important to note that Telnet is an unencrypted protocol, which means that any data transmitted over Telnet is sent in plain text and can be intercepted by malicious actors.

(5) - As a result, Telnet is considered insecure, and its usage has been largely replaced by more secure protocols like SSH (Secure Shell).

intro_to_network_securityFirewalls and Honeypots