5.4 Evading Firewalls

Firewall Generations and Types

A firewall enforces an access-control policy between network zones (e.g., the Internet, a DMZ, and the internal LAN). CEH expects you to distinguish the firewall generations and what each can inspect:

The bastion host, screened subnet (DMZ), and multi-homed firewall are common architectures. A stateful firewall is the dividing line from a simple ACL: it remembers that an internal host initiated a connection and automatically permits the matching reply, rather than needing a static rule for return traffic.

Identifying and Probing Firewalls

Before evading a firewall, an ethical hacker fingerprints it. Firewalking sends packets with a TTL one greater than the firewall's hop count to learn which ports the firewall forwards (an ICMP time-exceeded reveals an allowed path). Banner grabbing and crafted probes can identify the vendor.

Nmap rule-mapping techniques:

• ACK scan (-sA) — distinguishes stateful (filtered) from stateless firewalls and maps which ports are filtered vs. unfiltered.
• Source-port manipulation (--source-port 53 / -g 53) — many sloppy rule sets trust traffic from DNS (53), HTTP (80), or FTP-DATA (20).
• Fragmentation (-f, --mtu) — splits probes to evade simple filters.
• Idle/zombie scan (-sI) and decoys (-D) — hide the true source among forged IPs.

hping3 is the flexible packet crafter for this work: it builds arbitrary TCP/UDP/ICMP packets, spoofs source IPs and ports, sends fragments, and sets any flag — ideal for testing exactly how a firewall reacts to crafted traffic.

Evasion Techniques

CEH groups firewall-bypass techniques around exploiting trust, ambiguity, and allowed channels:

• Source-port spoofing — send traffic from a trusted port (UDP/53, TCP/80) that a permissive rule allows.
• IP address spoofing & source routing — forge the source or use loose/strict source routing (LSRR/SSRR) options to dictate a path that bypasses filtering (which is why routers should drop source-routed packets).
• Fragmentation — break the malicious packet so header fields the firewall keys on land in different fragments.
• Decoys and idle scans — bury the real source IP among many forged ones so the firewall's logs cannot single it out.
• MAC/IP duplication and tiny-fragment tricks to confuse stateless filters.
• Tunneling / covert channels — encapsulate forbidden traffic inside an allowed protocol:

Tunneling is the most powerful class because it rides a channel the firewall is configured to trust.

Countermeasures

Defending the perimeter against these techniques:

The two highest-leverage defensive habits CEH stresses: deploy a stateful/NGFW rather than a stateless packet filter, and enforce strict egress filtering — most organizations lock down inbound traffic but leave outbound wide open, which is exactly what tunneling and C2 exploit.

Defenders also harden against firewalking and reconnaissance by dropping ICMP time-exceeded/unreachable replies at the edge (or rate-limiting them), and by placing a default-deny rule at the bottom of the rule base so anything not explicitly permitted is blocked and logged. Rule bases should be audited regularly to remove stale "any-any" permits that accumulate over time and become evasion paths. On the exam, when asked how to stop covert tunneling, the answer centers on deep-packet inspection / NGFW application identification plus tight egress control, not just port blocking.

Remember too that a firewall is only as good as its rule base: a permissive rule trusting a source port or a forgotten temporary "any" permit can undo every other control, so least-privilege rule design is itself a primary countermeasure.