Firewall-
like a bouncer in a club, allow or prevent on a club.
Allows good traffic and blocks/kills bad traffic. Want to protect privateinternal network from external harmful networks and users on the internet i.e public network
Firewall is a combination of hardware- software related program(hardware lets flow of packets in and out, software helps to analyze the packets).
- secure barrier
- firewalls filters traffic- filtering rules
- security rules what is allowed and what is blocked.
Understand the role, functionality and restrictions of a packet firewall
Packet filtering firewall→
Filtering packets- operates on network layer and transport layer
Filters based on source and destination IP Addressses, TCP/UDP ports
- There are all Static filtering rules
- Security mechanism is cost effective.
Packet filtering firewall are still prone to attacks.
How do Packet filtering firewalls work→
- Examines IP Header- network layer
- and TCP/UDP headers- transport layer
-E.g allows TCP port 80, port 25-allows in and out(and blocks in and out)
-Can block network traffic management,
→Which traffic should be permitted?
Source IP Addresses(range)
Destination IP Addresses(range)
source port (or range)
Destination port(or range)
→Where to place a firewall?
PC or host-based firewall-
-Computer
Be able to correctly place a firewall in an enterprise network
If mid-size to large network-
Proper firewall , router - packet filtering firewall.
firewall rules- lines of command(has precedence here)
For small size networks-
small computer has resources to protect too
internal network PCs, server, printer
DMZ?
DMZ - demilitarized zone
logical or virtual location where internal and external network (with firewall) can be separated which can be protected by an external and interior router- between these routers is a DMZ. DMZ - can publish web servers, FTP server, DNS server(advertising systems in DMZ zone) - anyone can access any of the service-
less secure than internal network but still protected from direct access from external networks.
DMZ generally has two firewalls- internal and external firewall- b/w internal and external network. in DMZ zone can publish any services- www, STMP, DNS i.e web service, email, domains. external ppl can access., internal can access to but in a controlled fashion
How to Filter outgoing traffic→
e.g -
prevent malicious software to send out data(can also control internal network to send to external)
block IP spoofing(in internal/external network, IP address range in expected, outsider can create a packet that is valid in our network). MAC address spoofing also exists.
- block outbound traffic from critical network areas so it doesnt go to external public network
- only allow outbound http traffic through a proxies -proxies are fixed in DMZ zone(application level gateways- a slow firewall) - three types of firewalls- packet filtering firewall (fast), circuit level firewall , application proxies. examine if payload has malicious code. APPLICATION PROXIES» other firewalls although are slow.
if encrypted cant examine proxies.
-deny outbound traffic help avoid infections.
Proxies and NAT. (network address translation)
internal network has private class of addressess.these are not visible on the outside used NAT.
- internal IP is private while external IP is public mapping is required.
- Proxies is an application level gateway hide internal devices(mapping at application layer)
- Proxies and NAT are added so that there is No direct access between internal and external network to secure functionalities,
→Why firewalls are not enough?
internal to external network requirements can evolve ,for e.g-
- Social networks
- Remote access(TeamViewer,etc)
- Unified messaging(Skype,WeChat,etc)
- Collaboration tools(Google Docs, drive, icloud,etc)
More difficulties-
Port hopping- When applications change port addresses during a session. security , extended coverages, subscribers, need to adapt.
Hiding in TLS encryption- TLS can mask application traffic(e.g- via TCP port 443 vs using port 80). can identify that they are using TLS and HTTPS .
Dont use standard ports.
Tunnel in other services- peer-to-peer file sharing or messenger running over HTTP.
Perimeter security has obvious constraints→
Firewalls- No protection in internal network
60-70% has more hacks.
IoT, mobile networks
cant control -VPN used
IDS and IPS
Intrusion Detection System(IDS)-
monitor network and system activities.
alert when potential malicious activity found
logs info on activites
IPS(Intrusion Prevention System)-1st step
block or stop malicious activities
E.g→
Monitoring actions
- detect port scans(TCP and UDP)
- detect OS fingerprinting attempts
- buffer overflow
- known malware
- find abnormalities
Reactions(examples):
- drop malicious packets and send alarm
- block traffic from IP addresses
- fragmentation(TCP segments cant identify exact length of malicious code) in packet streams
- raise alerts for incident response teams.
IDS/IPS should also anamolgy-based detection(application profile/user profile) while signature-based detection(logs and monitoring)
-signature-based is fast, does not need a learning phase, generates less false positives.
NGF and Problems?
Next-generation firewalls(NGF)
- promise an integrated security approach
- proxy for all traffic(even encrypted)- examine even encrypted data
- very powerful security tool
- spplication, services, users, roles,etc
NGF Problems
- Policy rules is complex
- Proxy for TLS etc can break end-to-end security (can crack)
- Encapsulated encryption is still possible
- Privacy issues
- Single point of attack with full access to decrypted data.
Many ways to attack systems
-not all security issues are technical
Virus Scanner-
Anti Virus scanner can efficiently prevent infections with known malware
- unable to detect new malware.
- need to keep updating. as company identifies newer the malicious code.
