Routers, switches, and hubs are some of the networking devices used to establish connectivity among
networked devices. However, they don’t provide much control over access and security. Securing the network
requires special-purpose devices like intrusion detection systems, firewalls, and honeypots. This chapter
introduces these devices, their types, and the architectural considerations for their placement in the network.
What an IDS Is and How It Works:
An intrusion detection system (IDS) is a system that listens to and monitors the network traffic and alerts the
network administrator when any type of intrusion is detected. It checks for unusual and suspicious traffic.
The IDS is essentially a packet sniffer that intercepts and analyzes all packets and searches for intrusion
patterns. As soon as the IDS detects an intrusion and raises an alarm, the administrator can take appropriate
action to stop or reduce the impact of intrusion.
Intrusion detection systems mainly work using signatures. They have a predefined signature database
for various types of attacks. Following is a high-level overview of how an IDS works:
• For each packet that passes through the IDS, it tries to match the content against the
signature database. Some IDS systems also work on behavior and anomalies.
• If the IDS finds a signature match, then it either drops the packet or blocks the source
IP or notifies the administrator to take appropriate action.
Using the signature detection method, an IDS would only be able to detect those intrusions for which
the signature is in its database. Anomaly detection looks for behavioral patterns. For example, there might be
a system in the network that has suddenly started uploading a huge amount of traffic in the network. Such
behavior might be unusual, and the IDS may detect it and further analyze it for any traces of intrusion.
Types of IDS:
Based on where the IDS is placed in the network and how it functions, IDSes can be classified into various
types as follows:
• Network-based IDS : A network-based IDS intercepts, monitors, and analyzes every packet entering and leaving the network irrespective of whether that packet is permitted in the network or not. It is mainly designed to identify unusual packet behaviors at the router level. It is implemented by installing a system in promiscuous
• Host-based IDS : The host-based IDS is aimed at identifying host-level intrusions. It is typically installed individually on servers or on systems with sensitive information. If users on any of these hosts try to perform any unauthorized operation, the host based IDS will raise an alarm to the administrator. A host-based IDS is also useful in monitoring and detecting unauthorized file changes.
• Log file monitoring : This type of IDS searches through and analyzes log files of different network services to identify any traces of intrusion. For example, this type of IDS may search through a web server log file and check whether there have been any failed login attempts or any web attacks like XSS, SQL injection, and so on.
• File integrity checking : File integrity checkers monitor all sensitive files like configuration files for changes. They do so my keeping a record of the checksum values of all files at a given time. Any change in a file would change its checksum value and thus raise an alarm. If any Trojan or virus infects the system, many configuration files will be changed. Such intrusions and infections can be detected by file integrity checking. Tripwire offers applications for file integrity monitoring.
Evading an IDS:
Most intrusion detection systems work on a signature basis. It’s quite possible for the attacker to create a custom packet payload that won’t match any of the signatures in the predefined database of the IDS. This way, the attacker can bypass the IDS and possibly compromise the remote system without creating any noisy alerts. Following are some of the techniques used to evade and bypass an IDS.
• Insertion attack : In an insertion attack, the attacker tries to confuse the IDS by sending invalid packets. The attacker crafts a malformed packet in such a way that the end system interprets the attack payload correctly but the IDS is unable to recognize the attack.
• Denial of service : Many IDS systems use a centralized logging server to log all events and alerts. If the attackers know the IP address of this centralized logging server, they can launch a denial-of-service attack on that server so that the IDS won’t be able to log any more events.
• Obfuscating and encoding : Obfuscating means converting normal readable text or code into something that is hard to read and interpret. This is often used for security and privacy reasons. Encoding is a similar way of converting plain text into a special format and is mainly used for web transmissions. For example, if an attacker requests the URL http://example.com/php?id=<script>alert(“XSS”)</script > then the IDS might raise an alert since it has a Cross Site Scripting payload.
However, an attacker might choose to encode it using BASE64 format and convert it to aHR0cDovL2V4YW1wbGUuY29tL3BocD9pZD08c2NyaXB0PmFsZXJ0KCJYU1MiKTwvc2N
yaXB0Pg== . Now the IDS might treat this as normal text and forward it ahead without raising an alarm.
• Session splicing and fragmentation : Session splicing and fragmentation involve breaking, slicing, and splitting packets into multiple pieces such that no single packet causes the IDS to trigger an alert. Many IDS systems tend to ignore packet reconstruction before a packet is matched against the signature database.
• Invalid packets : Sending invalid TCP packets is another way of evading an IDS. An attacker can manipulate one of the six TCP flags or the packet checksum in order to pass it through the IDS.
• Polymorphic shellcodes : Most IDS systems have a standard default set of intrusion signatures. Attackers can modify the attack payload so that it doesn’t match the default IDS signature and gets through it.
Common Symptoms of an Intrusion:
Whenever there’s an intrusion into a system (human or malware), it makes a lot of changes in various parts
of the affected system. The intrusion might create new files or delete existing ones, change Registry entries,
modify user accounts, and so on. Following are some of the signs of a possible intrusion:
• Login failures for valid users : In case of an intrusion or a compromise, the passwords of valid active users on the system may be changed or the accounts may be locked.
• Active unused accounts : Each system has some accounts that are rarely used. Such accounts include the system user accounts used for specific purposes. During or after an intrusion, such unused user accounts may appear to be active. Attackers often use such dormant accounts to get into the system.
• Login during nonbusiness hours : Every system maintains a record of the last login time for each user account. If there are couple of accounts whose last login is frequent during nonbusiness hours, it may be a sign of an intrusion.
• Unusual system performance : Let’s assume an organization has a server which was running with 40% CPU consumption since last two months. Suddenly over a weekend the CPU consumption shoots to 95%. This might be a sign of intrusion. There’s another server that is frequently crashing and rebooting since last couple of
days. This again could be due to some kind of malicious intrusion.
• Strange timestamps : Every file and folder on the system has a timestamp associated with it, which includes the date and time when it was created, last modified, and accessed. If multiple files on the filesystem are showing strange and outdated timestamps, then it’s a clear indication that some malicious program has tampered
with the system.
• Unknown processes and ports : On a compromised system after a successful intrusion, there may be many unknown processes and ports open for connection with unknown remote hosts.
In simple layman terms, a firewall is computer hardware or software that helps protect systems from unauthorized access. The most basic function of a firewall is to set access control rules based on sockets. These firewall rules are designed according to the organization’s security policy. For example, an organization might want to block access to the FTP server (Port 21) to all users outside its network while allowing all internal and external users access to the web server (Port 80). All such access requirements and policies can be translated into the form of firewall rules. The firewall monitors all inbound and outbound connections and allows or denies access according to these predefined rules.
A DMZ (demilitarized zone) is a buffer area between a private intranet and the external public network. Any
service that needs to be accessed from the external public network is placed in a DMZ. For example, a web
server hosting a website is placed in a DMZ, but the database server associated with it is placed in the intranet.
Correct placement of a firewall within the network is important in order to make the firewall work properly.
If its placement within the network goes wrong, then even the latest and most sophisticated firewall will be
of no use. Following are some of the architectural considerations for placement of firewalls.
• Bastion host : A bastion host is a special-purpose host computer that is placed outside the firewall or DMZ and is hardened to withstand external attacks. It generally hosts a single application. A bastion host is commonly used for hosting DNS, email, honeypots, proxy servers, VPNs, web servers, and so on.
• Screened subnet : A screened subnet is a type of network architecture that implements a single firewall with three network interfaces. One interface is used to connect to the external public network (Internet), another is used to connect to the DMZ, and the remaining is used to connect to the internal private network (intranet). This results in separation of the intranet from the DMZ and Internet.
• Multi-homed firewall : Multi-homed architecture involves two or more firewalls that connect separate network segments. Its specifications are designed according to the organization’s security needs.
Types of Firewall:
Based on their purpose and overall placement in the network, firewalls are of various types. Firewalls are
also classified based on the OSI layer on which they operate. Following are a few types of commonly used
• Packet filters : A packet filter firewall works at the Network layer of the OSI model and inspects every packet passing through to match against predefined access control lists. Following are some of the factors that the packet filter firewall uses to
• Source IP address
• Destination IP address
• Source port
• Destination port
• Direction: inbound / outbound
• Network interface
• Circuit-level gateways : A circuit-level gateway firewall works at the Session layer of the OSI model. It doesn’t filter individual packets. Instead, it monitors all requests for establishing new sessions and checks whether the TCP three-way handshake has been completed to verify the validity of a session.
• Application-level gateways : An application-level gateway firewall works at the Application layer of OSI model. This type of firewall filters traffic based on application-specific commands, such as HTTP GET or POST
• Stateful inspection firewalls : A stateful inspection firewall combines features of packet filter firewalls, circuit-level gateways and application-level gateways. It intercepts and monitors all packets, filters them at the Network layer, verifies whether the established sessions are valid and authorized, and also evaluates contents of the packet at the Application layer.
Firewall Identification Techniques:
A firewall is typically placed in a network to filter out unwanted traffic. The existence of a firewall is
transparent to the end users. However, for security testing or penetration testing of a network, it is necessary
to detect the presence of a firewall or any packet filtering device. If the place or position and type of firewall
are known, then it can help craft custom attacks to bypass the firewall restrictions. Following are some of the
ways used to identify the presence of a firewall in a network:
• Port scanning : Port scanning is one of the most common information-gathering techniques. It helps identify all open ports on the target system. It may be possible to detect a firewall running on a remote host if the firewall is running on its default port. For example, the Checkpoint firewall by default uses ports 256, 257, 258 and 259.
• Firewalking : Firewalking is a technique similar to tracerouting. It is used to scan and collect information about the remote hosts that are behind a firewall. It simply sends a TCP or UDP packet with a TTL value one hop greater than the targeted firewall. The response is analyzed to determine ACL filters and network map. It is a type of active
Firewalls are strategically placed in a network to filter out unwanted traffic and control the access to resources on the network. However, during a real-world attack or simulated penetration test, firewalls prove a major hurdle by blocking the attack traffic. Following are some of the ways of evading or bypassing the firewall restrictions:
• IP address spoofing : IP address spoofing is one of the effective ways of bypassing firewall restrictions. In this technique, the attacker changes the IP address of his host to that of a trusted host. To understand this, let’s consider the following scenario:
• There are four systems: A, B, C and D.
• A is a server in the network, B is a firewall, C is one of the trusted hosts in the network, and D is the attacker.
• Now if D tries to access A, it will be blocked by B.
• To bypass this restriction, D changes its IP address to that of C, which is already trusted by B.
• Source routing : This technique allows the attacker to define the way or route the packet should take to reach its destination. This will help the attacker bypass the route where the firewall resides.
• Bypassing the firewall using a proxy server : Many organizations choose to block access to social websites from their intranet. Such restrictions can be bypassed using proxy servers. Since access to the proxy server isn’t blocked, a user can connect to the proxy server, which can then connect to destination website on behalf of user. There are many such free proxy servers available openly on the Internet.
• Tunneling (ICMP, HTTP) : Because of stringent security policies, many organizations opt to open only limited ports on their firewall. For example, an organization may open up only port 80 and block all other ports. In such a scenario,
an attacker can use tunneling techniques to pass other traffic through the port that is open. Tunneling encapsulates and wraps the traffic in the protocol format that is permitted through the firewall. For instance, all Telnet traffic can be wrapped in HTTP packet format so that it passes through port 80.
A honeypot is a system that is deliberately made vulnerable to attract and trap malicious attackers. It has no
authorized users associated and doesn’t have any business value. It is isolated in a way that only attackers
can probe it with the intent of compromising the system. Once the attacker connects to the honeypot, the
honeypot records all events and activities performed by the attacker. This helps the system administrator
learn more about how the attacker compromised the system and then accordingly strengthen the security of
other real systems within the network.
Types of Honeypots:
Honeypots are used to lure the attacker and divert her from attacking the real target. Based on how honeypots interact with the attacker, they can be classified as follows:
• High-interaction honeypots : This type of honeypot consists of a highly controlled network running various services. The attackers typically connect over encrypted SSH and try to break in further. All the activities of the attacker are recorded for further analysis. This is typically an isolated network with real applications and services. Hence, for an attacker it becomes very difficult to detect the presence of a honeypot.
• Low-interaction honeypots : This type of honeypot is typically an emulated service that has limited interactive capabilities. For example, while a connection over a real SSH would support all Linux commands, a connection over an emulated SSH will support only a limited set of commands. If any input beyond its predefined capability
is given, it will throw an error making the attacker aware of the honeypot’s presence. Detecting Honeypots
We have seen that a honeypot is a system that is deliberately made vulnerable to attract attackers and divert
them from attacking real systems. However, there are a few ways by which attackers could possibly detect the
presence of a honeypot and target the real system instead:
• Attackers can detect a honeypot by probing and scanning all the services running on the system.
• Attackers can use tools like HPING to craft special packets, send them to the system, and determine the presence of a honeypot based on the responses.
• Attackers can use multiple proxy servers before connecting to the system (honeypot) so that their identity remains hidden.
• Attackers can also make use of tools like Send Safe Honeypot Hunter to automate the process of honeypot detection.
• An IDS is a system that monitors the network traffic and alerts the administrator when any type of intrusion is detected.
• Insertion attacks , denial of service attacks , obfuscating/encoding, session splicing and fragmentation, sending invalid packets , and polymorphic shellcodes are some of the techniques for evading and bypassing IDS.
• A firewall is computer hardware or software that helps protect systems from unauthorized access.
• A bastion host is a special-purpose host computer that is placed outside the firewall or DMZ and is hardened to withstand external attacks.
• A screened subnet is a type of network architecture that implements a single firewall with three network interfaces.
• Multi-homed architecture involves two or more firewalls that connect separate network segments.
• A DMZ (demilitarized zone) is a buffer area between a private intranet and the external public network.
• Packet filter firewalls work at the Network layer of the OSI model, circuit-level gateways work at the Session layer, and application-level gateways work at the Application layer of the OSI model.
• IP address spoofing , source routing , using proxy servers and tunneling are some of the techniques for evading and bypassing firewalls.
• A honeypot is a system that is deliberately made vulnerable to attract and trap malicious attackers.