ETHICAL HACKING &

DIGITAL FORENSIC
TOOLS MCS303
INTRODUCTION TO FIREWALL
FIREWALL

• A firewall is simply a program or hardware device that filters the information

coming through the internet.
• A firewall forms a barrier through which the traffic going in each direction must
pass. A firewall security policy dictates which traffic is authorized to pass in each
direction.
• A firewall may be designed to operate as a filter at the level of IP packets, or may
operate at a higher protocol layer.
NEED FOR FIREWALL

• Local area networks (LANs) interconnecting PCs and terminals to each other and
the mainframe.
• Premises network, consisting of a number of LANs, interconnecting PCs, servers,
and perhaps a mainframe or two.
• Internet connectivity, in which the various premises networks all hook into the
Internet and may or may not also be connected by a private WAN
FIREWALL

• Hardware Firewall- It is hardware device which is integrated into the router that sits
between a computer and the internet.
• Software Firewall- They are installed on individuals servers. They intercept each
connection request and then determine whether the request is valid or not.
FIREWALL CHARACTERISTICS[

• All traffic from inside to outside, and vice versa, must pass through the firewall.
This is achieved by physically blocking all access to the local network except via
the firewall.
• Only authorized traffic, as defined by the local security policy,
TECHNIQUES USED BY FIREWALL

• Service Control
• Direction Control.
• User Control.
• Behavior Control.
LIMITATIONS OF FIREWALL

• The firewall cannot protect against attacks that bypass the firewall.
• The firewall may not protect fully against internal threats.
• An improperly secured wireless LAN may be accessed from outside the
organization.
TYPES OF FIREWALLS

• Packet Filtering Firewall.

• Stateful Inspection Firewalls.
• Application Level Gateway.
• Circuit Level Gateway.
• Next Generation.
PACKET FILTERING FIREWALL

• A packet filtering firewall applies a set of rules to each incoming and outgoing IP
packet and then forwards or discards the packet.
PACKET FILTERING FIREWALL
EXAMPLE OF PACKET FILTERING
• A. Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway host. However,
packets from a particular external host, SPIGOT, are blocked because that host has a history of
sending massive files in e-mail messages
• .B. This is an explicit statement of the default policy. All rulesets include this rule implicitly as the
last rule.
• C. This ruleset is intended to specify that any inside host can send mail to the out-side. A TCP
packet with a destination port of 25 is routed to the SMTP server on the destination machine.
The problem with this rule is that the use of port 25 for SMTP receipt is only a default; an outside
machine could be configured to have some other application linked to port 25. As this rule is
written, an attacker could gain access to internal machines by sending packets with a TCP
source port number of 25
D. This ruleset achieves the intended result that was not achieved in C. The rule stake advantage
of a feature of TCP connections. Once a connection is set up, the ACK flag of a TCP segment is
set to acknowledge segments sent from the other side. Thus, this ruleset states that it allows IP
packets where the source IP address is one of a list of designated internal hosts and the
destination TCP port number is 25. It also allows incoming packets with a source port number of
25 that include the ACK flag in the TCP segment. Note that we explicitly designate source and
destination systems to define these rules explicitly.
• E. This ruleset is one approach to handling FTP connections. With FTP, two TCP
connections are used: a control connection to set up the file transfer and a data connection
for the actual file transfer. The data connection uses a different port number that is
dynamically assigned for the transfer. Most servers, and hence most attack targets, use low-
numbered ports; most outgoing calls tend to use a higher numbered port, typically above
1023. Thus, this ruleset allows
ADVANTAGES

• One advantage of a packet filtering firewall is its simplicity.

• Packet filters typically are transparent to users and are very fast
 WEAKNESS OF PACKET FILTER FIREWALL.

• Packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ
application-specific vulnerabilities or functions.
• Because of the limited information available to the firewall, the logging functionality present in
packet filter firewalls is limited.
• Most packet filter firewalls do not support advanced user authentication schemes.
• Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of
problems within the TCP/IP specification and protocols tack, such as network layer address
spoofing.
ATTACKS MADE ON PACKET FILTERING FIREWALL

• IP Address Spoofing.
• Source Routing Attacks.
• Tiny Fragment Attacks.
STATEFUL/PACKET INSPECTION FIREWALLS

• Combine both packet inspection technology and TCP handshake verification.

• These firewalls do put more of a strain on computing resources as well.

• A stateful packet inspection firewall reviews the same packet information as a packet
filtering firewall, but also records information about TCP connections.
EXAMPLE OF STATEFUL FIREWALL CONNECTION
TABLE
APPLICATION LEVEL GATEWAY FIREWALL

• An application-level gateway, also called an application proxy.

• Application-level gateways tend to be more secure than packet filters.

• The application-level gateway need only scrutinize a few allowable applications.
• It is easy to log and audit all incoming traffic at the application level.
CIRCUIT LEVEL GATEWAY

• This can be a stand-alone system or it can be a specialized function performed by an

application-level gateway for certain applications.
• A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway
sets up two TCP connections, one between itself and a TCP user on an inner host and one
between itself and a TCP user on an outside host.
• A typical use of circuit-level gateways is a situation in which the system administrator trusts
the internal users.
SMURF ATTACK

• The attacker sends a long stream of pings (ICMP echo messages) to a third party. The
attacker uses IP address spoofing, making source IP address in these pings the IP address
of the victim. Consequently, pinged hosts send their ICMP echo replies to the victim host,
overwhelming it.
• For this attack to be successful, the third party being pinged must have a router that will
broadcast the ping message to all hosts in the router’s attached networks. This way, a
single echo request give rise to dozens or even hundreds or echo response packets that
will flood the victim.
SMURF ATTACK
SMURF ATTACK
SOCIAL ENGINEERING

• Act of stealing information from humans.

• It is consider as a non technical attacks.
• If we talk about the major vulnerability which lead to social engineering attack is Trust.
PHASES OF SOCIAL ENGINEERING ATTACK

• Research.
• Select Target.
• Relationship.
• Exploit.
SOCIAL ENGINEERING TECHNIQUES

• Human-based Social Engineering

- Impersonation.
- Eavesdropping and Shoulder Surfing.
- Dumpster Diving.
- Reverse Social Engineering.
Spear Phishing.
- Publishing Malicious Apps
- Repacking Legitimate Apps