Question

Firewalking maps out firewall rules by sending crafted packets. How does this technique help identify allowed and filtered ports?

Answer 1

Firewalking is a network reconnaissance technique that helps identify which ports and protocols a firewall permits or blocks. By analyzing how packets traverse through a firewall, it reveals the firewall's access control list (ACL) rules.​

How Firewalking Works?

Firewalking operates similarly to traceroute, utilizing the Time To Live (TTL) field in IP packets to probe firewall behavior. The process involves:

1. Determining the Gateway Distance: Initiate a traceroute to the target to ascertain the number of hops (routers) between the source and the target, identifying the firewall's position in the path.​

2. Sending Probes with Incremented TTL: Dispatch TCP or UDP packets with a TTL set to one more than the hop count to the firewall. This ensures that the packet expires just beyond the firewall if it's forwarded.​

3. Analyzing Responses:

   • ICMP Time Exceeded Message: If this message is received, it indicates the packet passed through the firewall and expired at the next hop, suggesting the port is allowed.

   • No Response: If no reply is received, it implies the firewall blocked the packet, indicating the port is filtered.​

By systematically varying the destination ports in these probes, one can map out which ports the firewall permits or blocks.​

Practical Applications

• Security Assessments: Network administrators can use firewalking to verify firewall configurations and ensure that only intended ports are accessible.​

• Penetration Testing: Ethical hackers employ firewalking to identify potential entry points in a network by discovering open ports that might be exploited.​

Limitations and Countermeasures

• Limitations:

  • ICMP Restrictions: If a network blocks ICMP messages, firewalking becomes less effective, as it relies on ICMP Time Exceeded messages for feedback.

  • Dynamic Firewalls: Firewalls that dynamically adjust rules based on traffic patterns can render firewalking results inconsistent.​

• Countermeasures:

  • Restrict ICMP Messages: Limiting or blocking ICMP Time Exceeded messages can prevent attackers from receiving feedback necessary for firewalking.

  • Implement Stateful Inspection: Using firewalls that track the state of connections can help in identifying and blocking unsolicited probes.

  • Regular Monitoring: Continuously monitor network traffic for unusual patterns that may indicate reconnaissance activities like firewalking.