Intermediate

Firewalls & Network Defense

To bypass defenses, you must first understand how they work. This module covers the core network security controls you'll encounter during assessments.

Know Your Enemy

Understanding defensive technologies helps you identify weaknesses, evade detection, and provide better remediation advice to clients.

Firewall Types

Packet Filtering (L3/L4)

Examines packet headers only. Fast but limited visibility. Makes decisions based on source/dest IP, ports, and protocol.

Bypass: Fragmentation, port hopping, tunneling

Stateful Inspection (L3/L4)

Tracks connection state (SYN, ACK, etc.). Blocks packets that don't belong to established sessions.

Bypass: ACK tunneling, connection state manipulation

Application Layer (L7 / WAF)

Deep packet inspection. Examines HTTP payloads, SQL queries, etc. Can block specific attack patterns.

Bypass: Encoding, obfuscation, protocol switching

Next-Gen Firewall (NGFW)

Combines stateful inspection, DPI, IPS, SSL inspection, and application awareness. Palo Alto, Fortinet, Cisco.

Bypass: Domain fronting, encrypted channels, allowed apps

IDS vs IPS

Feature IDS (Detection) IPS (Prevention)
Mode Passive (monitoring) Inline (blocking)
Action Alerts only Blocks + Alerts
Latency None Adds latency
Risk Missed attacks False positives block legit traffic
Examples Snort, Suricata, Zeek Snort (inline), Suricata, Palo Alto

Evasion Techniques

Common IDS/IPS evasion: fragmentation, encoding (URL, Base64, Unicode), protocol violations, timing attacks, and encrypted channels.

Network Segmentation

Segmentation limits lateral movement. Understanding how networks are divided helps identify pivot points.

VLANs

Layer 2 logical separation. Can be bypassed via VLAN hopping (double tagging, switch spoofing).

Subnets + ACLs

Layer 3 separation with router ACLs controlling traffic. Look for overly permissive rules.

Micro-segmentation

Host-level firewalls, zero trust. Every workload isolated. Harder to move laterally.

Zero Trust Architecture

"Never trust, always verify." Zero Trust assumes the network is compromised and requires continuous authentication.

Zero Trust Principles

  • Verify explicitly: Always authenticate and authorize based on all data points
  • Least privilege: Limit access with just-in-time and just-enough access (JIT/JEA)
  • Assume breach: Minimize blast radius, segment access, verify end-to-end encryption

Pentest Implication

Zero Trust environments require credential theft and identity attacks rather than network-based lateral movement. Focus on phishing, token theft, and identity provider abuse.

Firewall Enumeration Commands

Detect Firewall with Nmap

firewall-enum.sh
bash 
# ACK scan to detect filtered ports (firewall present)
nmap -sA -p 1-1000 <target>

# Compare with SYN scan
nmap -sS -p 1-1000 <target>

# Firewall version detection
nmap --script=firewalk <target>
# ACK scan to detect filtered ports (firewall present)
nmap -sA -p 1-1000 <target>

# Compare with SYN scan
nmap -sS -p 1-1000 <target>

# Firewall version detection
nmap --script=firewalk <target>

WAF Detection

waf-detect.sh
bash 
# wafw00f - WAF fingerprinting
wafw00f https://target.com

# Nmap WAF detection
nmap --script=http-waf-detect <target>

# Manual test - send malicious payload
curl "https://target.com/?id=1' OR 1=1--" -v
# wafw00f - WAF fingerprinting
wafw00f https://target.com

# Nmap WAF detection
nmap --script=http-waf-detect <target>

# Manual test - send malicious payload
curl "https://target.com/?id=1' OR 1=1--" -v

Related Topics

Packet Analysis

Understand traffic at the packet level.

Network Traffic

Capture and analyze communications.

Internal Pentest

Apply this knowledge in assessments.

Defense Evasion

Advanced evasion techniques.