Honeypots, IDSs, and Firewalls 379
Keep in mind that system logs need to be checked regularly for unknown
or unexplained behavior. However, as a result of some of the techniques
you learned earlier in this book, these contents can be altered or removed
entirely. Always check the system or environment completely before
automatically assuming you have an intrusion.Firewalls
Firewalls are another protective device for networks that stand in the way of a penetration
tester or attacker. Firewalls represent a barrier or logical delineation between two zones
or areas of trust. In its simplest form an implementation of a firewall represents the barrier
between a private and a public network, but things can get much more complicated from
there as you’ll see in this section.
For the most part we refer to firewalls as an abstract concept, but in real
life a firewall can be either software or a hardware device. Where required
in this chapter, I’ll make the distinction between software- and hardware-
based firewalls.When discussing firewalls, it is important to understand how they work and their
placement on a network. A firewall is a collection of programs and services located at
the choke point (or the location where traffic enters and exits the network). It is designed
to filter all traffic flowing in and out and determine if that traffic should be allowed
to continue. In many cases the firewall is placed in such a way as to be distanced from
important resources so that in the case of compromise key resources are not adversely
impacted. If enough care and planning are taken along with a healthy dose of testing, only
traffic that is explicitly allowed to pass will be able to do so, with all other traffic, dropped
at the firewall.
Firewalls can also be thought of as separating different zones of trust. This
means that if you have two different networks or areas that have differing
levels of trust placed on them, the firewall will act as the boundary
between the two.Some details about firewalls to be aware of:■ Firewalls are a form of IDS since all traffic can be monitored and logged when it
crosses the firewall.■ A firewall’s configuration is mandated by a company’s own security policy and will
change to keep pace with the goals of the organization.■ Firewalls are typically configured to allow only specific kinds of traffic such as e-mail
protocols, web protocols, or remote access protocols.