Firewalls
Premium roomLearn about and experiment with various firewall evasion techniques, such as port hopping and port tunneling.
medium
180 min
28,141
To access material, start machines and answer questions login.
A is software or hardware that monitors the network traffic and compares it against a set of rules before passing or blocking it. One simple analogy is a guard or gatekeeper at the entrance of an event. This gatekeeper can check the ID of individuals against a set of rules before letting them enter (or leave).
Before we go into more details about firewalls, it is helpful to remember the contents of an IP packet and segment. The following figure shows the fields we expect to find in an IP header. If the figure below looks complicated, you don’t need to worry as we are only interested in a few fields. Different types of firewalls are capable of inspecting various packet fields; however, the most basic should be able to inspect at least the following fields:
- Protocol
- Source Address
- Destination Address
Depending on the protocol field, the data in the IP datagram can be one of many options. Three common protocols are:
- ICMP
In the case of or , the should at least be able to check the and headers for:
- Source Port Number
- Destination Port Number
The header is shown in the figure below. We notice that there are many fields that the might or might not be able to analyze; however, even the most limited of firewalls should give the administrator control over allowed or blocked source and destination port numbers.
Learning Objectives
This room covers:
- The different types of firewalls, according to different classification criteria
- Various techniques to evade firewalls
This room requires the user to have basic knowledge of:
- ISO/OSI layers and /IP layers. We suggest going through the Network Fundamentals module if you want to refresh your knowledge.
- Network and port scanning. We suggest you complete the module to learn more about this topic.
- Reverse and bind shells. We recommend the What the Shell? room to learn more about shells.
Warmup Questions
The design logic of traditional firewalls is that a port number would identify the service and the protocol. In traditional firewalls, i.e., packet-filtering firewalls, everything is allowed and blocked mainly based on the following:
- Protocol, such as , , and ICMP
- IP source address
- IP destination address
- Source or port number
- Destination or port number
Let’s consider this very simplified example. If you want to block traffic, you need to block the traffic from source port 80, i.e., the port number used by by default. If you want to allow HTTPS traffic, you should allow the traffic from source port number 443, i.e., the port number used by HTTPS. Obviously, this is not efficient because there are other default port numbers that we need to include. Furthermore, the service can be running on a non-default port number. Someone can run an server on port 53 or 6667.
Visit Service Name and Transport Protocol Port Number Registry (opens in new tab) to learn more about the default port number and to answer the following questions.
If you want to block telnet, which TCP port number would you deny?
You want to allow HTTPS, which TCP port number do you need to permit?
What is an alternate TCP port number used for HTTP? It is described as “HTTP Alternate.”
You need to allow SNMP over SSH, snmpssh. Which port should be permitted?
Ready to learn Cyber Security?
The Firewalls room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in