Firewall, IDS Evasion and Spoofing

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.Firewalls are often categorized as either network firewalls or host-based firewalls. 

IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the identity of the sender or impersonating another computing system. One technique which a sender may use to maintain anonymity is to use a proxy server.

Nmap offers many features to help understand these complex networks, and to verify that filters are working as intended. It even supports mechanisms for bypassing poorly implemented defenses. One of the best methods of understanding your network security posture is to try to defeat it. Place yourself in the mind-set of an attacker, and deploy techniques from this section against your networks. Launch an FTP bounce scan, idle scan, fragmentation attack, or try to tunnel through one of your own proxies.

In addition to restricting network activity, companies are monitoring traffic with intrusion detection systems (IDS). All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks. Many of the products have recently morphed into intrusion prevention systems (IPS) that actively block traffic deemed malicious. Attackers with skill, and with the help of certain Nmap options can usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of false positive results where innocent activity is misdiagnosed and alerted on or blocked.

For detecting and subverting firewalls and IDS systems it takes patience, skills and experience.

For further reading Refer to -

How does an attacker evade Intrusion Detection Systems with Session Splicing? - Refer below SANS Security resource for further reading.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.