What are firewalls, and how do attackers bypass firewalls to potentially wreak havoc on your business assets?
In short, firewalls are powerful tools for network security that work by blocking unwanted or unauthorized traffic. Firewalls can block traffic based on a variety of criteria, including source and destination IP addresses, specific ports, and protocols.
Next-generation or stateful firewalls provide advanced filtering capabilities that allow traffic to be filtered or blocked based on connection state to ensure that connection-based protocols are operating properly. By stopping traffic that is deemed unnecessary or potentially harmful, firewalls help protect networks and the devices connected to them from various threats, such as malware, unauthorized access attempts, and other malicious activities like data exfiltration and ransomware.
Today, we outline common firewall techniques, the ramifications of firewall bypassing, and what you and your organization can do to keep yourselves safeguarded.
Firewall bypass is a set of techniques used by cyber adversaries to communicate back to their own servers from within a corporate network, even through firewalls meant to protect against such traffic.
Firewall configuration requires a deep understanding of network protocols, communication patterns, and potential threats, as well as the ability to handle a vast array of settings, all across a vast system of LAN, WAN, VPN, VLANs, and the public internet. Firewall configuration is complex because the underlying network protocols are complex and because enterprise network architecture is complex. On top of all that, a shortage of skilled cybersecurity professionals further compounds the problem.
This complexity can create operational challenges, such as misconfigurations, which can inadvertently leave network vulnerabilities open to attack, but also, cyber-criminals are simply motivated and technically savvy enough to find new ways to defeat firewall protections and gain the upper hand.
To understand how attackers can bypass firewalls, we should first consider what firewalls are meant to block... and more importantly, what they are not meant to block. Firewalls must let legitimate traffic through, otherwise, a network and more importantly - the business it supports - could not operate.
Legitimately required network traffic depends on the function that a particular network segment serves. In addition to the physical, data-link, and network-layer protocols that support device interconnectivity itself, there are at least two additional protocols required to fulfill most networks' intended functions; DNS and HTTP (including HTTPS).
Blocking these two protocols is infeasible for normal network operations and you would be wise if you noticed that both of these protocols normally transit outside a local network to the public internet to fulfill their duties. Even in networking scenarios free from workstations purposed for human end-users, DNS and HTTP(S) are used when applications and services check for security and feature updates.
Comparatively, protocols such as SSH, FTP, or SMTP stand out more because they perform more specific rather than general purposes so they are not required everywhere and can raise suspicion when they are used by attackers. They are not as ubiquitous as DNS and HTTP(S) so cyber-attackers have developed ways to leverage HTTP and DNS in novel and nefarious ways.
For example, Domain Name System (DNS) is a protocol that is essential for regular network operations as it resolves domain names to IP addresses. However, attackers can use DNS for Command and Control (C2) operations by encoding their commands within DNS queries or responses, effectively hiding their communications within regular network traffic.
The Hypertext Transfer Protocol (HTTP) is a protocol used for communication between web servers and clients. Firewalls can be configured to block this type of traffic based on the IP address and content filtering allows traffic to be firewalled based on file type or domain name. For example, it's highly likely that a network admin would want to prevent known-hacker.com from downloading an executable (.exe) binary file. However, by hiding their payloads on legitimate websites - such as twitter.com - or in seemingly less dangerous formats - such as in a .jpeg image - attackers can bypass many firewall configurations that are obliged to allow regular web traffic from popular social networking sites.
To detect and prevent such attacks, organizations must employ more advanced security measures, such as anti-virus software, Intrusion Detection Systems (IDS), or Endpoint Detection and Response (EDR) tools. These tools actively monitor processes and activity on an endpoint itself for suspicious behaviour. This allows defenders to quickly detect and respond to malware that has used stealth to bypass a firewall and content filter.
Also, both phishing and spear-phishing are dominant threats to an organization's cybersecurity. Protecting against social engineering tactics requires organizations to regularly update their security policies and train their employees on best practices for identifying and mitigating suspicious email attachments and links, as attackers are continually evolving their techniques to bypass traditional security measures.
Now that we're done our run-down on how attacks bypass firewalls, let's cover some of the most popular firewall FAQs:
"What firewall is best?"
Your cybersecurity team can (and will!) discuss what type of firewall best suits your safety needs and budget. There are a variety of different firewalls available, all with varying strengths and potential weaknesses.
"What is the difference between an anti-virus and a firewall?"
A firewall is a hardware and software-based security system, while an anti-virus is a software program designed to detect and eliminate threats that have the potential to wreak havoc on a computer system or other device. While both seek to maintain the health of your devices, only firewalls can protect and monitor both private Internet networks and physical device systems.
"What can a firewall not protect you from?"
Firewalls cannot protect from malware or computer viruses, which is why regular penetration testing is so vital.
"How do hackers get around firewalls?"
Threat actors get around firewalls using a multitude of tactics. By investing in your cybersecurity, you can employ ethical hackers to determine your system's weak points before they do... and catch potential threats before they become devastating for your business.
Because more specialized tools that attackers might prefer are blocked by firewall configurations, cyber adversaries have adapted their techniques to leverage the tools they have access to while avoiding the use of network protocols that might raise suspicion.
For network defenders, it's critical to understand the limitations of firewalls for protecting a network. Although firewalls serve a critical function, they are impacted by several weaknesses including the burden of complexity and the need to support network functionality. Also, it's important for network defenders to stay current with the techniques attackers may use to piggyback on available tools to achieve their end goals.
To protect against these more sophisticated threats, user awareness training and advanced cybersecurity tools such as EDR or XDR are required to detect and respond to malware after it has entered a network.
Get your free, zero-obligation quote today to learn more about how regular penetration can help you bolster your existing cybersecurity.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.