Life finds a way. This is one of my favorite quotes from one of my favorite movies and books, Jurassic Park. Internet traffic, like life, will break free and expand to new territories. There is a vast amount of examples of people changing their behaviour to get what they want when you attempt to deny them access to whatever that is.
When it comes to security the line between good and bad is often hard to see. Certainly malicious actors work to bypass security controls to get footholds and steal confidential information. Other times they are working to bypass controls to just to avoid control and/or oppression.
There are several groupings of tactics to bypass network security appliances. The challenge of evasion is that there are many groupings and many tactics. Tactics in different groupings can be leveraged at the same time dramatically compounding the issue. The purpose of this post is to describe the tactics employed to evade network security systems, identify what is required from a network security system to prevent bypassing, and generally where to find it.
For some examples of using these evasion techniques please search the rest of the blog for evasion.
Network & Transport Layers
Many of the evasion techniques that exploit lower level protocols are handled by the underlying OS of network security appliances. Often the IP stacks are configured to be prevent many of the tactics by default. The challenge is that many of the tactics at the network and transport layers are natural functions of the protocols that are being used in a malicious way. This most often results in the most elegant of attacks. Blocking them outright could lead to a high probability of blocking benign traffic, which results in user experience issues, which results in complaints, which results in disabling the features.
One of the most common networkand transport layer based evasion is fragmentation. There are several ways to exploit IP fragmentation. As an example in a small packets segmentation attack the attacker will fragment all of the packets to be very small. The idea is that network solutions have a a limited amount of memory to manage each session. If there are lots of small packets the attack payload will be broken up into small enough pieces that each individual packet looks benign. Where things start to fail is when the memory buffer fills up and the devices starts to allow packets through to the target host that don’t look bad. Once the target host reassembles them the attack will likely be actualized.
Another example is to abuse the session by chaff. An attacker can send multiple fragmented packets with the same sequence number but different payloads. On top of that you can manipulate various other parts of the packets. One example is to leverage PAWS (Protection Against Wrapped Sequence). PAWS is designed to improve TCP performance in high speed networks. Servers have a theoretical limit of 232 sequence numbers per session, so starting at 0 and going to 232. So when a session hits that finite number the sequence number starts back at 0. This can be abused by sending multiple packets with the same sequence number and different timestamps so that the old one may be discarded and the new one slips through. Sending the malicious payload second may overwrite the first and be bypassed. Operating Systems will handle these differently and confusion is the name of the game.
This type of packet mangling is most often be handled by the network processing engine of security appliance. Most systems will have protection settings either in the device settings, in an interface protection profile, or like the illustration below in a zone protection profile.
figure 1: zone protection
It is important to note that these are functions of the protocol that may be used for regular traffic. Most solution vendors will not enable all of them by default to avoid potentially blocking legitimate traffic. It is important to look for them in the operating manual and configurations of the device and ensure you enable the ones that will work in your environment. You may have to take some risk and enable them to find out if they cause problems for regular traffic so it is equally important to find out where they are reported when triggered in case you need to troubleshoot.
Session & Application Layers
Protocols such as NetBIOS (Network Based Input Output System) and RPC (Remote Procedure Calls) are widely used sessionlayer protocols. These protocols are typically interacted with by application directly and users typically do not need interact with them directly. They are commonly used for network based communications of applications that may not have their own network capabilities built in. In this way the applications can be developed in a standard way using one of the session layer protocols and have those protocols handle the communications between nodes. As a result the attacks are similar to that of the transport layer protocols. That being said in most network security appliances these session layer protocols are controlled by protocol decoders and/or rules/policies rather than at the network layer.
There are many ways to evade network security appliances by tunneling one application through another. By encapsulating a denied type of traffic inside a permitted type of traffic the blocked traffic may slip through security policies.
For example a security policy may permit something like ping which relies on ICMP echo requests and echo replies. The same policy may not allow web browsing using HTTP. ICMP could be used to encapsulate the HTTP traffic. If the security appliance isn’t looking at the application ping closely enough it will think there is just ping traffic and permit it. Another example would be wrapping bittorrent traffic with DNS. If bittorrent is not permitted but DNS is the appliance may let this traffic through because it thinks it is just DNS based on some basic characteristics. In the case of unknown malware positive security could potentially prevent it proactively. If the malware is tunneling over DNS but is otherwise unknown, a security appliance that properly identifies the applications will prevent the malicious traffic even though it has not seen it previously. See an example oftunneling through ICMP hereand another example of tunneling through UDP here.
Almost any kind of traffic can be tunneled inside another protocol. You can also tunnel whatever you want through other applications like DNS, NTP, HTTP.
figure 2: positive security policy
The solutionto evading security appliances at the session and application layer is application identification and a positive security model. Application identification may be a multiple stage process. There may be some pre-prosessing at the protocol layer that will weed out obvious things like violations of the protocol standard. Otherwise there will be some form of decoders and heuristics that will identify what the application is outside of just the standard port and protocol. As depicted in the examples just above you should be able to detect when there is HTTP traffic tunneling through ping because ping isn’t supposed to have HTTP headers inside it.
Positive security means allowing the types of traffic you want and implicitly denying anything else. A positive approach to security can only be implemented when proper application identification is working. When you can trust that allowing DNS will only allow DNS traffic and not tunnel bittorrent or IRC or web traffic to a command and control server, you have positive enforcement.
Encryption
The purpose of encryption is to provide confidentiality and integrity of data. The data in transit in this case is obfuscated so that prying eyes can possibly tell where you are going but not what you are doing there. This means that when network traffic is encrypted many network security appliances will be blind to what is inside. Many popular websites today have defaulted to HTTPS when you visit them (Google, Yahoo!, Facebook, and Twitter), and more are moving to encryption because of recent leaked information about spying. The underlying technology in HTTPS is SSL (Secure Sockets Layer).
A simple example is someone using an HTTPS proxy server outside of the network to get to other websites. The security appliance would see HTTPS which is likely allowed because it’s so pervasive. The proxy server makes it appear the user is browsing a random HTTPS site, but really it is tunneling traffic to another website. So the user makes a connection to the proxy and the proxy makes the connection to the target, likely blocked, website and the entire transaction is encrypted. The security appliance does not have any visibility into what is going on inside the traffic.
- You have visibility to be sure that webmail is in fact what they are doing.
- You have visibility to determine if there is malware or malicious links inside the encrypted traffic, and
- You have visibility to see if sensitive data is leaving the environment.
The solution is to decrypt the SSL traffic. A certificate needs to be installed on each of the client devices. When users make connections to HTTPS sites their traffic is encrypted to the security appliance using your certificate. The security appliance then makes the connection to the destination website using their certificate. This way the security appliance has decrypted traffic on it before passing. When breaking encryption for corporate use the idea is not to read peoples emails and invade their privacy. The goal is so that you can permit something like a personal webmail account and know you are safe because;
It is important to notethat SSL (and inherently HTTPS) is a standard protocol and widely deployed in many applications so decryption can be accomplished by any application using this standard protocol. Network security appliances will have troubles with encryption protocols that are proprietary or non-standard.
Conclusion
Managing evasions is challenging. If one (wo)man can make something another can break it. Within each of the sections above there are currently dozens of examples of evasions for each section. Many of these techniques can be used simultaneously to slip through. New evasive techniques are developed regularly. It is important to keep up to date on them and understand how you can prevent them in your environment. As a result the only way to ensure that a network security appliance will prevent every evasion is to pull the plug. Following are some best practices to prevent evasive techniques today.
- Look for network security solutions that are stream based. Stream based systems will continuously monitor every packet in the stream. The cost is heavy CPU/memory requirements and the benefit is that it will reassemble all of the packets properly so that it can identify any malicious behaviour. The alternative is a session based system that will typically look at the first packets and if those look ok will trust the rest, which has obvious consequences. While there may be ways to beat a stream based system like working around the stream buffer timers, they are still much more effective than session based and are the best we’ve got right now.
- Read the manual. Many of the features to prevent lower level evasions will be documented in the deployment guides. Because these features can sometimes break applications they are not always enabled by default.
- Determine if the network security solution is capable of positive security enforcement. You should be able to permit the traffic you want with confidence, and everything else should be dropped by default. This means having the ability to properly decode traffic and identify applications. It also should have a single policy. If you have to permit some traffic and then block parts of that traffic elsewhere the solution will be inefficient and ineffective.
- Decrypt the SSL traffic. 30% or more of all network traffic is encrypted. If you can’t see what is in there you are blind to 30% of traffic. This is imperative to prevent malware and data loss.
References:
http://www.monkey.org/~dugsong/fragroute/fragroute.8.txt
http://www.cs.uit.no/~daniels/PingTunnel/
http://www.mcafee.com/us/resources/misc/guides/evader-users-guide.pdf
http://en.wikipedia.org/wiki/Remote_procedure_call
*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: http://stephenperciballi.blogspot.com/2015/02/firewall-evasion-techniques-and.html
FAQs
Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security defense, rendering it in-effective to subsequent targeted attacks.
What are the common techniques used to evade IDS systems? ›
There are several ways to evade an ids, including using Unicode, launching a denial of service, making TTL modifications or using ip fragmentation. Snort, a signature based IDS, has developed countermeasures to make it more difficult to evade detection.
What two things are most important when first considering firewall implementation? ›
Built-in High Availability – A standard backup feature should be included if you cannot risk losing your firewall. Bandwidth control and monitoring - it's important to control the use of bandwidth you have available. With this feature, you can control the bandwidth available for applications, sites and users.
Which evasion method involves performing actions slower than normal to prevent detection? ›
Timing Attacks
Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows the signatures use to correlate different packets together.
What is the four techniques of firewalls? ›
The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.
How many types of firewall techniques are there? ›
There are mainly three types of firewalls, such as software firewalls, hardware firewalls, or both, depending on their structure. Each type of firewall has different functionality but the same purpose.
What are the two main techniques used for intrusion detection? ›
Intrusion detection systems primarily use two key intrusion detection methods: signature-based intrusion detection and anomaly-based intrusion detection.
What is the most used intrusion detection technique? ›
The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS.
What are the two main approaches to intrusion detection techniques? ›
There are also two main approaches to detecting intrusion: signature-based IDS and anomaly-based IDS.
How does firewall prevent unauthorized access? ›
To start, a firewalled system analyzes network traffic based on rules. A firewall only welcomes those incoming connections that it has been configured to accept. It does this by allowing or blocking specific data packets — units of communication you send over digital networks — based on pre-established security rules.
How to Improve Your Firewall Security?
- Limit VPN Access If you have a sophisticated VPN system, you can make a firewall far more secure. ...
- Monitor User Access ...
- Shut Off Unused Network Services ...
- Update Firewall Software ...
- Automate the process of firewall updating ...
- Buy New Security Hardware ...
- Secure Wireless Access
Advanced evasion techniques (AETs) bypass traditional common network security solutions. They can transport any attack or exploit through network security devices and firewalls, intrusion detection systems (IDS) and intrusion pre- vention systems (IPS), and even routers doing deep packet inspection.
What is the main goal of using different evasion techniques by threat actors? ›
What is the main goal of using different evasion techniques by threat actors? Many threat actors use stealthy evasion techniques to disguise an attack payload because the malware and attack methods are most effective if they are undetected. The goal is to prevent detection by network and host defenses.
Which evasion technique provides splitting of packets? ›
The denial-of-service (DoS) attack attempts to disable a system by exhausting its resources. Packet splitting tries to chop data into small packets, so that a system may not completely reassemble the packets for signature matching.
Why common firewall techniques are used? ›
A firewall is essential software or firmware in network security that is used to prevent unauthorized access to a network. It is used to inspect the incoming and outgoing traffic with the help of a set of rules to identify and block threats by implementing it in software or hardware form.
What are the five 5 steps to configure a firewall? ›
How to Configure a Firewall in 5 Steps
- Step 1: Secure your firewall. ...
- Step 2: Architect your firewall zones and IP addresses. ...
- Step 3: Configure access control lists. ...
- Step 4: Configure your other firewall services and logging. ...
- Step 5: Test your firewall configuration.
There are three basic types of firewalls that are used by companies to protect their data & devices to keep destructive elements out of network, viz. Packet Filters, Stateful Inspection and Proxy Server Firewalls.
What are the 2 main types of firewall? ›
There are two types of firewalls based on what they protect: network-based and host-based. Network-based firewalls, which are frequently hardware, protect entire networks. Host-based firewalls, which are frequently software, protect individual devices known as hosts.
Which firewall is most commonly used? ›
The most common firewall types based on methods of operation are:
- Packet-filtering firewalls.
- Proxy firewalls.
- NAT firewalls.
- Web application firewalls.
- Next-gen firewalls (NGFW)
Management Methods
- Web interface.
- CLI.
- Panorama.
- XML API.
The 3 Intrusion Detection System Methods
- Signature-Based Intrusion Detection. Signature-Based Intrusion Detection Systems (SIDS) aim to identify patterns and match them with known signs of intrusions. ...
- Anomaly-Based Intrusion Detection. ...
- Hybrid Intrusion Detection.
The method detection limit (MDL) is the minimum concentration of a substance that can be measured and reported with 99% confidence that the analyte concentration is greater than zero and is determined from analysis of a sample in a given matrix containing the analyte [2].
What are three major aspects of intrusion prevention? ›
Major functions of intrusion prevention systems are to identify malicious activity, collect information about this activity, report it and attempt to block or stop it.
Which firewall is best for intrusion detection system? ›
Top 10 BEST Intrusion Detection Systems (IDS) [2023 Rankings]
- Comparison of the Top 5 Intrusion Detection Systems.
- #1) SolarWinds Security Event Manager.
- #2) Bro.
- #3) OSSEC.
- #4) Snort.
- #5) Suricata.
- #6) Security Onion.
- #7) Open WIPS-NG.
The Top IDPS Solutions in Depth:
- Trend Micro.
- Cisco.
- Check Point.
- Trellix.
- Hillstone Networks.
- NSFOCUS.
- Palo Alto Networks.
- OSSEC HIDS.
A firewall establishes a border between an external network and the network it guards. It is inserted inline across a network connection and inspects all packets entering and leaving the guarded network. As it inspects, it uses a set of pre-configured rules to distinguish between benign and malicious packets.
What is the best detection approach when dealing with DDoS? ›
To detect DDoS attacks, an entropy method, the Shannon entropy is used and this entropy detection uses only one feature like source IP address to create the detection model. Henceforth, attackers can easily manipulate source IP address using tools like scapy, hping, etc.
What is intrusion detection and prevention? ›
An intrusion prevention system (IPS) – sometimes referred to as an intrusion detection prevention system (IDPS) – is a network security technology and key part of any enterprise security system that continuously monitors network traffic for suspicious activity and takes steps to prevent it.
Which sensors are used to detect intrusion? ›
Seismic sensors.
These are able to pick up vibrations on a surface and when a certain vibration threshold is reached, an alarm is generated. Seismic sensors may be placed on floors in order to detect a walking intruder, or on walls or doors, to detect an attempted break-in (J.
What is the most important firewall rule? ›
A good rule would be permit tcp any WEB-SERVER1 http . permit ip any any WEB-SERVER1 - Allows all traffic from any source to a web server. Only specific ports should be allowed; in the case of a web server, ports 80 (HTTP) and 443 (HTTPS). Otherwise, the management of the server is vulnerable.
Rulesets for firewalls typically include the source address, the source port, the destination address, the destination port, and an indication of whether or not the traffic should be permitted. In the given ruleset for a firewall, for instance, the firewall itself is never directly accessible from the public network.
What are the 7 layers of firewall? ›
OSI Model Explained: The OSI 7 Layers
- Physical Layer.
- Data Link Layer. ...
- Network Layer. ...
- Transport Layer. ...
- Session Layer. ...
- Presentation Layer. The presentation layer prepares data for the application layer. ...
- Application Layer. The application layer is used by end-user software such as web browsers and email clients. ...
5 Best Practices to Prevent Unauthorized Access
- Strong Password Policy. ...
- Two Factor Authentication (2FA) and Multifactor Authentication. ...
- Physical Security Practices. ...
- Monitoring User Activity. ...
- Endpoint Security.
Firewalls will help protect you from various threats, such as malware and cyber-attacks, from coming into your network. A firewall is a necessary tool for businesses that adds an extra layer of protection, not just to their network but also to their devices.
How does a firewall protect your data? ›
Firewalls scan packets for malicious code or attack vectors that have already been identified as established threats. Should a data packet be flagged and determined to be a security risk, the firewall prevents it from entering the network or reaching your computer.
Which is best firewall protection? ›
Top 10 Firewall Software
- Check Point Next Generation Firewalls (NGFWs)
- FortiGate.
- Sophos Firewall.
- WatchGuard Network Security.
- pfSense.
- Zscaler Internet Access.
- SonicWall.
- Avast.
One of the most common firewall issues that businesses face is controls that aren't properly activated. Anti-spoofing tools, for example, are an important aspect of your managed security system since they prevent malware, spam, and other fake traffic from entering your network.
Which type of firewall is the most secure? ›
Proxy servers are the most secure type of firewall, as they filter packets through a protected proxy server. This is done before traffic even reaches the network perimeter.
What is Firewall evasion techniques? ›
Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security defense, rendering it in-effective to subsequent targeted attacks.
What are evasion techniques? ›
Intrusion detection system evasion techniques are modifications made to attacks in order to prevent detection by an intrusion detection system (IDS). Almost all published evasion techniques modify network attacks.
Popular evasion techniques in the malware landscape
- Environment awareness. ...
- Timing-based method. ...
- User interaction. ...
- Domain, IP identification and internet connection. ...
- Stegosploit. ...
- Code obfuscation, encryption or compression. ...
- Final thoughts.
This should come as no surprise, as attackers work hard to hide their real intentions when injecting these backdoors. Hackers usually make use of several evasion techniques, including obfuscating known functions and parameter names and using the encoding of the malicious code.
What are 4 methods of threat detection? ›
Generally, all threat detection falls into four major categories: Configuration, Modeling, Indicator, and Threat Behavior. There is no best type of threat detection. Each category can support different requirements and approaches depending on the business requirement.
What are the three 3 pillars of effective threat detection? ›
Here, the role of intelligence is to collect, analyze, and produce complete, accurate, timely, and relevant threat assessments that inform decision makers as they act on the information. Strong enterprise Intelligence programs are built on three pillars: strategic, operational, and tactical.
How do I evade firewall in Nmap? ›
Nmap offers several scan methods that are good at sneaking past firewalls while still providing the desired port state information. FIN scan is one such technique. In the section called “ACK Scan”, SYN and ACK scans were run against a machine named Para.
Which Nmap switch helps evade IDS or firewall? ›
Fragment Packets
The Nmap offers that ability to fragment the packets while scanning with the -f option so it can bypass the packet inspection of firewalls.
What are evasion attacks? ›
Evasion attacks are attacks at test time, in which the attacker aims to manipulate the input data to produce an error in the machine learning system. Unlike data poisoning, evasion attacks do not alter the behavior of the system, but exploit its blind spots and weaknesses to produce the desired errors.
What is HTTP evasion? ›
The purpose of these special evasion signatures, "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984), is to detect an internal client crafting a packet in order to evade URL Filtering. For example, If a user wanted to visit a site that was being blocked by a URL category.
What is firewall evasion scanning? ›
This technique uses address spoofing , in order that at the side of the actual scan packets, many very similar packets are sent, however with a unique sender address from your own. once the latter reach their destination, the recipient can haven't any method of identifying between real and dummy packets.
How do hackers bypass firewalls? ›
To get around the firewall, attackers direct emails to specific targets within the network with the intention of tricking a user into accessing the email, which then gives them entry. Alternatively, they can attack public IP addresses found on a server to update their C&C systems.
What are the four types of attacks? The different types of cyber-attacks are malware attack, password attack, phishing attack, and SQL injection attack.
What increases evasion? ›
As a battle item, the Lax Incense is essentially the same as Bright Powder. It too increases the holder's Evasiveness by ten percent, and is a great tool for any Pokémon you wish to avoid opposing attacks right away.
What are the security issues with HTTP? ›
This discussion does not include definitive solutions to the problems mentioned here but it does make some suggestions for reducing security risks.
- Personal Information Leakage. ...
- File and Path Names Based Attack. ...
- DNS Spoofing. ...
- Location Headers and Spoofing. ...
- Authentication Credentials. ...
- Proxies and Caching.
What are the main types of HTTP vulnerability?
- SQL Injection. ...
- Cross-Site Scripting. ...
- Broken Authentication and Session Management. ...
- Insecure Direct Object References. ...
- Security Misconfiguration. ...
- Cross-Site Request Forgery.
Scanning could be basically of three types:
- Port Scanning – Detecting open ports and running services on the target host.
- Network Scanning – Discovering IP addresses, operating systems, topology, etc.
- Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a target.
Method 1: Use a proxy
- Method 1: Use a proxy.
- Method 2: Use the Google cache.
- Method 3: Try a URL shortener.
- Method 4: Try the IP address.
- Method 5: Unblock websites in Chrome and Safari.
- Method 6: Switch between HTTP and HTTPS.
- Method 7: Use Tor Browser.
- Method 8: Use a VPN.
7 Firewall Best Practices for Securing Your Network
- Block traffic by default and monitor user access. ...
- Establish a firewall configuration change plan. ...
- Optimize the firewall rules of your network. ...
- Update your firewall software regularly. ...
- Have a centralized management tool for multi-vendor firewalls.
A VPN can be used to bypass a proxy server or firewall and prevent your computer from being directed to a site it doesn't want to visit. This action provides an additional measure of security for anyone using a public Wi-Fi connection or any other unfamiliar network.
