Fortifying Cyber Defenses: Exploring the Role of Firewalls and Honeypots in Network Security

Return Home

Firewalls have become part of standard operations in most organizations. Firewalls can be hardware software or a combination of the above. A firewall is designed to inspect traffic, allowing or blocking that traffic based on organizational policy.

Understanding-Firewalls-and-honeypots-01intel

Types of Firewalls

There are several firewall alternatives available. Firewalls have their limitations. Firewalls do not protect against social engineering. Finally, a firewall cannot protect against tunneling attempts. You might use hardware firewalls, software firewalls, packet filtering firewalls, link-level gateways, application-level firewalls, and stateful multi-layer inspection firewalls.

Firewall Identification

There are several methods that attackers use to identify firewalls. They can scan ports using Nmap. An attacker can also use a capture banner that sends messages from network services.

Firewalls

When a firewall protects a network, attackers can use various methods to break into it. They can use an internal accomplice, find vulnerable services, access a vulnerable external server, bypass a firewall ( HTTPunnel ), place backdoors through firewalls ( rwwwshell ), hide behind a covert channel (Loki), and use ACK tunneling.

Honeypots and Honeynets

Many organizations use honeypots and honeypot networks to provide early warning of systems against possible attacks. Both systems are hosted online and encourage potential attackers to make them easy targets within the organization. These devices may be purposefully configured with known vulnerabilities and weak security. The devices are designed to send alarms and let people know they have been attacked or hacked. This allows network administrators to identify the source of the attack and close the gateways to prevent the attack from spreading to critical devices and systems within the organization’s private network.

Types of honeypots

Honeypots are designed to attract and capture attackers, and there are various ways in which honeypots can be configured to lure an attacker.

  • Low-interaction honeypots simulate the configuration of services, and activity with the emulated service is captured and logged.
  • Highly interoperable honeypots are a network architecture that monitors and records all activity; they are also known as honeynets.
  • Medium interaction honeypots use application layer virtualization and send expected responses for known exploits to force the exploit to send a payload.

Open source honeypots

There are many honeypots available as commercial products or in the public domain. Some commercially available honeypots include KFSensor, NetBait, ManTrap, and SPECTER. You have many options if you want to go the open-source software route.

Open source honeypots include –

  • Bubblegum Proxypot
  • Jackpot
  • BackOfficer Friendly
  • Bait-n-Switch
  • Bigeye
  • HoneyWeb
  • Deception Toolkit
  • LaBrea Tarpit
  • Honeyd
  • Honeynets
  • Sendmail SPAN Trap
  • Tiny Honeypot

Responding to attacks

It is important to detect intrusions, and the organization must have a good defensive policy. The incident response team should include representatives from various departments within the organization. The company must have response procedures, communications, registration procedures, and training and rehearsals for such an event.

Intrusion Detection Tools

There are many tools available, including intrusion detection tools such as

  • BlackICE
  • RealSecure
  • Network Flight Recorder
  • Dragon
  • NetProwler
  • SilentRunner
  • Vanguard Enforcer
  • Cisco Secure IDS
  • Snort

IDS Bypass Tools

The administrator must be aware of the tools available to assist an attacker who is evading IDS. Real-time IDS systems can be fooled if they are not installed and configured correctly. SideStep, Mendax, Stick, Fragrouter, and ADMutate are just a few of these tools that an administrator should know.

Packet Generators

Several package generator tools are available. Review the following list and explore the tools you would like to learn more about:

  • Aicmpsend
  • Apsend
  • Blast
  • Ettercap
  • Hping2
  • ICMPush
  • IpsendISIC
  • Libnet
  • Multi-Generator Toolset
  • Net::RawIP
  • Netcat
  • Netsh
  • PacketX
  • Send ICMP Nasty Garbage
  • Tcpreplay
  • The Packet Shell
  • USI++
  • Xipdump

Firewall Hacking Tools

Several tools are available to mask communications between two servers to successfully hack a firewall. A few of them are 007 Shell, ICMP Shell (ISH), AckCmd, and Covert_TCP.

Testing Tools

There are many tools available for testing firewall filtering policies or configuration testing:

  • FTester
  • Traffic IQ Pro
  • Next-Generation Intrusion Detection Expert System
  • Secure Host
  • System iNtrusion Analysis and Report Environment (SNARE)
  • TCP Opera
  • Firewall Informer
  • Atelier Web Firewall Tester

Summary

In this article, you learned about the various efforts and processes that can be implemented to protect against attacks on internal networks. You learned about intrusion detection techniques, different types of firewalls, and how to determine when an attack is occurring through monitoring.

Home
Training
Case studies
Blog
Contact