Security Operations: Examining Firewalls and intrusion detection devices Flashcards
Why are firewalls so important?
Firewalls are an important component of enterprise security because they enable organizations to protect networks, data, and resources from a wide range of cybersecurity threats. Firewall rules are predefined configurations that dictate how a firewall handles incoming and outgoing network traffic. These configurations specify which connections are allowed or blocked based on criteria such as source IP addresses, destination ports, and protocols.
Firewall rules are stored in?
Access control lists: A set of rules that dictate which network traffic is permitted or denied based on various criteria.
Screened subnets: A network segment or zone within an enterprise architecture that acts as a controlled gateway between trusted internal networks and untrusted external networks. This provides an additional layer of security and access control.
You can still have screened subnet within your network called remediation network where a system is quarantined until the system or computer meets the policy requirement.
What is the concept of the firewall rule?
Everything in is blocked unless you allow it – Implicit deny – Unless you create a rule for it.
Everything is allowed – once you make an established connection this can expose vulnerabilities.
What can you benefit in IDS and IPS system?
Trends: Historical data, patterns of network traffic, and system behavior used to analyze to identify emerging threats and adapt security measures proactively.
Signatures: Predefined patterns or characteristics of known threats or attack techniques that are used to detect and block malicious activity in real time.
What are the steps you take in making an inbound rule?
Enhance security by modifying firewall rules
To modify firewall rules to enhance organization security, you should:
On the Windows Taskbar, in the Search field, enter wf.msc, and then select Enter.
In the Windows Defender Firewall with Advanced Security window, right-click Inbound Rules and activate the context menu, and then select New Rule.
In the New Inbound Rule > Rule Type window, select the Custom button, and then select Next.
In the New Inbound Rule > Programs window, select the All programs button, and then select Next.
In the New Inbound Rule > Protocols and Ports window, select the dropdown arrow next to Protocol type, and then select ICMPv4, and select Customize.
In the Customize ICMP Settings window, select the Specific ICMP types button, select Echo Request, and then select OK.
In the New Inbound Rule > Protocols and Ports window, select Next, and then in the New Inbound Rule > Scope window, select Next.
In the New Inbound Rule > Action window, select the Block the connection button, and then select Next.
In the New Inbound Rule > Profile window, select Next, and in the New Inbound Rule > Name window, enter the following, and then select Finish:Block ICMP Echo Requests
