4.5 Firewalls Flashcards
Network-based firewalls
Filter traffic by port number or application
– Traditional vs. NGFW
* Encrypt traffic
– VPN between sites
* Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT)
– Dynamic routing
Next-generation Firewalls (NGFW)
The OSI Application Layer
– Layer 7 firewall
* Can be called different names
– Application layer gateway
– Stateful multilayer inspection
– Deep packet inspection
* Requires some advanced decodes
– Every packet must be analyzed, categorized, and
a security decision determined
Ports and protocols
Make forwarding decisions based on protocol
(TCP or UDP) and port number
– Traditional port-based firewalls
– Add to an NGFW for additional security
policy options
* Based on destination protocol and port
– Web server: tcp/80, tcp/443
– SSH server: tcp/22
– Microsoft RDP: tcp/3389
– DNS query: udp/53
– NTP: udp/123
Firewall rules
logical path
– Usually top-to-bottom
* Can be very general or very specific
– Specific rules are usually at the top
* Implicit deny
– Most firewalls include a deny at the bottom
– Even if you didn’t put one
* Access control lists (ACLs)
– Allow or disallow traffic
– Groupings of categories -
– Source IP, Destination IP, port number, time of day,
application, etc.
Screened subnet
An additional layer of security between the you and
the Internet
– Public access to public resources
– Private data remains inaccessible
IPS rules
Intrusion Prevention System
– Usually integrated into an NGFW
* Different ways to find malicious traffic
– Look at traffic as it passes by
* Signature-based - Look for a perfect match
* Anomaly-based
– Build a baseline of what’s “normal”
– Unusual traffic patterns are flagged
* You determine what happens when unwanted
traffic appears
– Block, allow, send an alert, etc.
* Thousands of rules - Or more
* Rules can be customized by group
– Or as individual rules
* This can take time to find the right balance
– Security / alert “noise” / false positives
Content filtering
Control traffic based on data within the content
– URL filtering, website category filtering
* Corporate control of outbound and inbound data
– Sensitive materials
* Control of inappropriate content
– Not safe for work
– Parental controls
* Protection against evil
– Anti-virus, anti-malware
URL scanning
Allow or restrict based on Uniform Resource Locator
– Also called a Uniform Resource Identifier (URI)
– Allow list / Block list
* Managed by category
– Auction, Hacking, Malware,
– Travel, Recreation, etc.
* Can have limited control
– URLs aren’t the only way to surf
* Often integrated into an NGFW
– Filters traffic based on category or specific URL
Agent based
Install client software on the user’s device
– Usually managed from a central console
* Users can be located anywhere
– The local agent makes the filtering decisions
– Always-on, always filtering
* Updates must be distributed to all agents
– Cloud-based updates
– Update status shown at the console
Proxies
Sits between the users and the external network
* Receives the user requests and sends the request
on their behalf (the proxy)
* Useful for caching information, access control,
URL filtering, content scanning
* Applications may need to know how to use
the proxy (explicit)
* Some proxies are invisible (transparent)
Forward proxy
A centralized “internal proxy”
– Commonly used to protect and control user
access to the Internet
Block rules
Based on specific URL
– *.professormesser.com: Allow
* Category of site content
– Usually divided into over 50 different topics
– Adult, Educational, Gambling, Government,
Home and Garden, Legal, Malware, News, etc.
* Different dispositions
– Educational: Allow
– Home and Garden: Allow and Alert
– Gambling: Block
Reputation
Filter URLs based on perceived risk
– A good reputation is allowed
– A bad reputation is blocked
– Risk: Trustworthy, Low risk, Medium risk, Suspicious,
High risk
* Automated reputation
– Sites are scanned and assigned a reputation
* Manual reputation
– Managers can administratively assign a rep
* Add these dispositions to the URL filter
– High risk: Block, Trustworthy: Allow
DNS filtering
Before connecting to a website, get the IP address
– Perform a DNS lookup
* DNS is updated with real-time threat intelligence
– Both commercial and public lists
* Harmful sites are not resolved
– No IP address, no connection
* This works for any DNS lookup
– Not just web filtering
Active Directory
database of everything on the network
– Computers, user accounts, file shares, printers, groups,
and more
– Primarily Windows-based
* Manage authentication
– Users login using their AD credentials
* Centralized access control
– Determine which users can access resources
* Commonly used by the help desk
– Reset passwords, add and remove accounts
Group Policy
Manage the computers or users with Group Policies
– Local and Domain policies
– Group Policy Management Editor
* A central console
– Login scripts
– Network configurations (QoS)
– Security parameters
* Comprehensive control
– Hundreds of configuration options
Security-Enhanced Linux (SELinux)
Security patches for the Linux kernel
– Adds mandatory access control (MAC) to Linux
– Linux traditionally uses
– Discretionary Access Control (DAC)
* Limits application access
– Least privilege
– A potential breach will have limited scope
* Open source
– Already included as an option with many Linux
distributions
Unencrypted network data
Network traffic is important data
– Everything must be protected
* Some protocols aren’t encrypted
– All traffic sent in the clear
– Telnet, FTP, SMTP, IMAP
* Verify with a packet capture
– View everything sent over the network
Protocol selection
Use a secure application protocol
– Built-in encryption
* A secure protocol may not be available
– This may be a deal-breaker
Port selection
Secure and insecure application connections may be
available
– It’s common to run secure and insecure on different ports
* HTTP and HTTPS
– In-the-clear and encrypted web browsing
– HTTP: Port 80
– HTTPS: Port 443
* The port number does not guarantee security
– Confirm the security features are enabled
– Packet captures may be necessary
Transport method
Don’t rely on the application
– Encrypt everything over the current
network transport
* 802.11 Wireless
– Open access point: No transport-level encryption
– WPA3: All user data is encrypted
* Virtual Private Network (VPN)
– Create an encrypted tunnel
– All traffic is encrypted and protected
– Often requires third-party services and software
Email security challenges
The protocols used to transfer emails include
relatively few security checks
– It’s very easy to spoof an email
* Spoofing happens all the time
– Check your spam folder
* The email looks as if it originated from
james@professormesser.com
– But did it? How can you tell?
* A reputable sender will configure email validation
– Publicly available on the sender’s DNS server
Mail gateway
The gatekeeper
– Evaluates the source of inbound email messages
– Blocks it at the gateway before it reaches the user
– On-site or cloud-based
Sender Policy Framework (SPF)
SPF protocol
– Sender configures a list of all servers authorized to
send emails for a domain
* List of authorized mail servers are added to a
DNS TXT record
– Receiving mail servers perform a check to see if
incoming mail really did come from an authorized host
