Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Network security assessment: Test firewalls, IDS in multiple ways

Network administrators need to test internal systems such as firewalls and IPS/IDS devices to ensure their networks are safe.

Editor's note: This is the third in a three-part series discussing steps network administrators should take to...

ensure their networks are free from external and internal attacks. Part one described 10 tools no security admin should be without, while part two examined internal penetration-testing methods.

Periodic perimeter vulnerability testing is vital for any company interested in maintaining a viable network security assessment posture. While some attacks are launched by insiders, many originate outside of organizations. This means companies must be able to verify edge devices and ensure that systems are patched and kept up to date. Perimeter testing typically involves network scanning, examination of intrusion detection (IDS) and intrusion prevention systems (IPS), firewall testing, and honeypot deployment and testing.

Network scanning is one of the first activities that should occur during a penetration test. After all, you should strive to see your network the same way an attacker would. Your view of the network is from the inside out, but this is not true of an attacker. Performing a parameter scan can help you determine the operating system and patch level of edge devices, the visibility of devices accessible from outside the network, and even Secure Sockets Layer and Transport Layer Security certificate vulnerabilities. In addition, network scanning helps determine if accessible devices are adequately protected against vulnerabilities that have been uncovered since the device was deployed. Nmap, a free open source security scanner, can be used to monitor your network; the tool supports a variety of switches to identify open ports, services and operating systems.

How to protect your network

The deployment of IDS and IPS are another way to detect malicious activity. Most companies use IDS or IPS at the perimeter of their networks, but it's debatable how efficient these devices are in repelling attacks. There are multiple ways to test your IDS and IPS, the following among them:

  • Insertion attacks. These attacks occur when an attacker sends packets to an end system that are rejected, but that an IDS believes are valid. When this occurs, it allows the attacker to insert data into the IDS that no other system cares about.
  • Evasion attacks. This technique allows an attacker to get the IDS to reject a packet that the end system accepts.
  • Denial-of-service attacks. This occurs when an attacker sends so much data to the IDS that it cannot process it all. Such flooding may allow malicious traffic to travel through without being logged.
  • False-positive generation. Remember the boy who cried wolf? This type of attack is designed to send a large amount of alert data. These false positives can make it more difficult to identify a real attack.
  • Obfuscating. An IDS must detect all malicious signatures regardless of their format. To confuse the IDS, attackers might encode traffic, encrypt it or fragment it to obscure its existence.
  • Desynchronization. Techniques such as pre- and post-connection synchronization are also used to hide malicious traffic.

Firewalls are another common perimeter device that can be used to control ingress and egress traffic. Firewalls can either be stateful or stateless and can be tested in a variety of ways. Some common testing techniques include the following:

  • Firewall identification. Open ports may help identify that specific firewall technologies are being used.
  • Determining if the firewall is stateful or stateless. Simple techniques such as ACK scanning could help pinpoint the type of firewall.
  • Banner-grabbing from the firewall. While not always effective, some older firewalls may actually offer version information in the banner.

Finally, there are honeypots. These devices can be used to trap or "jail" attackers, or to potentially learn more about their activities. Honeypots fall into two categories: low interaction and high interaction. Honeypots can be detected by observing their functionality. A good example of a low-interaction honeypot can be seen with Netcat, a networking utility that reads and writes data across network connections.

Companies must be able to verify edge devices and ensure that systems are patched and kept up to date.

Executing nc- v -l -p 80 opens a listening port on TCP 80, yet would return no banner if probed further. A high-interaction honeypot returns not only an open port but also the correct banner, making it more difficult for the attacker to determine if it is a real or honeypot system.

While I have discussed a number of ways in which you can map what your network perimeter looks like to an attacker, keep in mind that many attackers bypass edge devices and controls by operating from the inside out. If the attacker is able to get an end user to install something inside the network, click on a link or visit a malicious site, the attacker can then tunnel traffic from the inside out, which is inherently easier than attacking from the outside in.

About the author
Michael Gregg, CISSP, CISA, CISM, CASP, is an "ethical hacker" who provides cybersecurity and penetration testing services to Fortune 500 companies and U.S. government agencies. He's published more than a dozen books on IT security and is a well-known speaker and security trainer. Gregg is chief operations officer of Superior Solutions Inc., headquartered in Houston.

This was last published in April 2013

Dig Deeper on Network Security Monitoring and Analysis