Back to All Dictionary

Firewall Evasion

Firewall evasion refers to methods attackers employ to circumvent network firewalls. These techniques allow malicious traffic or data to pass through security barriers that are designed to block it. Attackers exploit misconfigurations, protocol weaknesses, or specific traffic patterns to bypass detection and gain unauthorized access to internal systems or exfiltrate data.

Understanding Firewall Evasion

Attackers use various firewall evasion techniques, such as port hopping, tunneling, and fragmentation. Port hopping involves switching communication to less monitored ports, like using port 80 or 443 for non-web traffic. Tunneling encapsulates malicious traffic within legitimate protocols, such as DNS or HTTP, making it appear harmless. Fragmentation breaks down malicious packets into smaller pieces that firewalls may reassemble incorrectly or fail to inspect thoroughly. These methods aim to exploit gaps in firewall rules or inspection capabilities, allowing malware command and control traffic or data exfiltration to proceed undetected.

Organizations must implement robust firewall configurations and regularly audit their rules to prevent evasion. This includes deep packet inspection, intrusion detection systems, and network segmentation. Governance policies should mandate frequent security assessments and penetration testing to identify potential bypass vulnerabilities. The strategic importance lies in protecting sensitive data and critical infrastructure from unauthorized access, ensuring business continuity, and maintaining regulatory compliance. Failing to address evasion risks can lead to significant data breaches and operational disruptions.

How Firewall Evasion Processes Identity, Context, and Access Decisions

Firewall evasion involves techniques to bypass security rules set by a firewall, allowing unauthorized traffic to enter or exit a network. Attackers often modify network packets to appear legitimate, such as fragmenting packets so the firewall cannot reassemble and inspect them properly. They might also use non-standard ports or protocols, tunnel malicious traffic inside seemingly harmless protocols like HTTP or DNS, or encrypt traffic to hide its true nature. Another method is IP address spoofing, where an attacker disguises their origin to match an allowed source, tricking the firewall into permitting the connection.

Detecting and preventing firewall evasion is an ongoing process. It requires regular review of firewall rules, network traffic analysis, and vulnerability assessments. Security teams must continuously update firewall policies to address new evasion techniques. Integrating firewalls with intrusion detection/prevention systems IDS/IPS and Security Information and Event Management SIEM solutions helps correlate events and identify suspicious patterns. This proactive governance ensures firewalls remain effective against evolving threats, rather than becoming static barriers.

Places Firewall Evasion Is Commonly Used

Attackers use firewall evasion to gain unauthorized access, exfiltrate data, or establish command and control channels within protected networks.

  • Tunneling malware command and control traffic through legitimate web ports like 80 or 443.
  • Fragmenting IP packets to bypass deep packet inspection and content filtering rules.
  • Using DNS tunneling to exfiltrate small amounts of data or establish covert communication.
  • Employing encrypted VPNs or SSH tunnels to hide malicious activity from firewall scrutiny.
  • Spoofing trusted internal IP addresses to bypass network segmentation and access restricted resources.

The Biggest Takeaways of Firewall Evasion

  • Regularly audit firewall rules and network configurations to identify and close potential bypass vectors.
  • Implement deep packet inspection and application-aware firewalls to detect hidden or tunneled malicious traffic.
  • Integrate firewalls with IDS/IPS and SIEM systems for comprehensive threat detection and correlation.
  • Educate security teams on common evasion techniques to improve incident response and proactive defense strategies.

What We Often Get Wrong

Firewalls are foolproof.

Many believe a firewall alone provides complete network security. However, firewalls are only as effective as their rules. Attackers constantly develop new methods to bypass these rules, making continuous monitoring and updates essential for robust defense.

Default rules are sufficient.

Relying solely on default firewall configurations leaves significant vulnerabilities. Default settings are often too permissive or lack specific protections against advanced evasion techniques. Customizing rules based on network needs is crucial.

Encryption prevents all evasion.

While encryption hides content, it can also be used by attackers to conceal malicious traffic. Firewalls need capabilities like SSL/TLS inspection to decrypt and examine encrypted traffic for hidden threats, rather than blindly trusting it.

On this page

Related Terms

Granular Permissions
Cloud Security Posture Management
Gateway Policy Management
Granular Privilege Management
Assurance Posture
Hacktivism
Identity Trust Management
Adaptive Security

Frequently Asked Questions

What is firewall evasion?

Firewall evasion involves techniques used by attackers to bypass or circumvent the security controls of a firewall. This allows unauthorized traffic, data, or malicious code to enter or exit a protected network. Attackers might use various methods, such as port hopping, protocol tunneling, or fragmentation, to make their traffic appear legitimate and avoid detection by the firewall's rules. The goal is to gain access or exfiltrate data undetected.

What are common techniques used for firewall evasion?

Common techniques include port hopping, where attackers switch ports to find an open one, and protocol tunneling, which encapsulates malicious traffic within legitimate protocols like HTTP or DNS. Fragmentation splits data into smaller packets to bypass inspection. Attackers also use encryption to hide their payload, or exploit misconfigurations and weak rules within the firewall itself to create an unauthorized pathway.

Why is firewall evasion a significant threat?

Firewall evasion is a significant threat because it undermines a primary layer of network defense. If successful, attackers can bypass perimeter security, gain unauthorized access to internal systems, exfiltrate sensitive data, or deploy malware without detection. This can lead to data breaches, system compromise, and significant operational disruption, making it crucial for organizations to implement robust detection and prevention strategies.

How can organizations prevent or detect firewall evasion?

Organizations can prevent evasion by regularly auditing firewall rules, implementing intrusion detection/prevention systems (IDS/IPS), and using deep packet inspection. Network segmentation helps limit lateral movement even if a firewall is bypassed. Employing strong authentication, encrypting internal traffic, and keeping all network devices patched are also critical. Continuous monitoring of network traffic for anomalies can help detect evasion attempts early.