What is a Firewall
A system or group of systems used to control access between two networks – a trusted network (Internal Private Network) & an untrusted network (Internet).
Perimeter Defence (mcq)
Intercepts and controls traffic between networks with differing levels of trust, enforced with a network security policy
Log inter-network activity, and limit the exposure of an organization.
Firewall Challenges
Detecting malware
Connections that do not go through the firewall
Unknown threats
Poorly trained firewall administrator
Stateful Packet Filtering (open ended)
- Maintains an entry for each established connection
- Packet filter based on profile of the entries
- Keeps track of TCP sequence numbers to prevent attacks based on sequence numbers
- Inspect data for protocols (FTP, IM, SIP) commands
- Detects and drops packets that overload server
- Disallow packets that has no connection to server
Stateful Packet Filtering drawbacks
Cannot prevent, Trojan, spyware, adware where an connection has been established from within the network.
Stateful Packet Filtering Solution
Deep Packet Inspection (DPI)
Examines also the data part of packet (content)
One example of Web Application Firewall
ModSecurity
What is Web Application Firewall
- Inspect request and response data (including HTTPS)
- Increase information log (Credit card numbers, ID numbers, Passwords, Raw Transaction data)
- Act as an inbound proxy to Webserver: Apache, IIS
What does Web Application Firewall alert
SQL Injection
XSS
Buffer Overflow
Cookie Tampering
Abnormal Activities
etc
Unified Threat Management (UTM)
Consolidates multiple security and networking functions all on one appliance. Popular with SMEs (Small Medium Enterprise)
Examples of Unified Threat Management (UTM)
- Firewall
- IDS/IPS
- SIEM
- Secure Web/Email Gateway
- Remote Access
Unified Threat Management (UTM) Advantages
- Browser based management
- Short learning curve for security policy configuration
- Localized software and documentation
- By 2022, more than 50% of new SMB firewall deployment will tunnel web traffic to a cloud-based secure web gateway, up from less than 10% today.
Application Firewall (Often called NGFW)
(ref image)
4 Properties of Next generation firewall (NGFW)
- Application Awareness
Does not assume a specific application is running on a specific port.
Firewall can monitor traffic from layers 2 to 7 with greater granularity
Eg: HTTP Port 80 assumed to be HTTP Traffic. Useful for bandwidth
control (P2P) - Identity Awareness
Track the identity of the local traffic device and user,
Typically using existing enterprise authentication systems
(i.e. Active Directory, LDAP). Control the what a specific
User or groups is allowed to send and receive - Extra firewall Intelligence
Optimized rule set and intelligence gathered from outside sources
continually (Whitelist, blacklist, directory integration to block by
identity) - Integrated IPS
Automatic correlation to IPS(To cover in PM) to suggest
blocking of certain malicious websites. Eg: Block and address
that is continually loading the IPS with bad traffic
Packet Filtering Rules (Two common strategies)
1) Build rules from most specific to most general. This is to ensure that
a general rule does not “override” a more specific but conflicting
rule.
2) Rules should be ordered such that the ones most often used are at
top of list. Done for performance reasons.
First 4 Best Practices
1) Deny all traffic by default, and only enable those services that are
needed.
2) Disable or uninstall any unnecessary services and software on the
firewall that are not specifically required.
3) Limit the number of applications that run on the firewall in order to
let the firewall do what it’s best at doing.
4) Run the firewall service as a unique user ID instead of administrator
or root.
Last 4 Best Practices
5) Change the default firewall administrator or root password
6) Do not rely on packet filtering alone. Use stateful
inspection and application proxies if possible.
7 Ensure that physical access to the firewall is controlled.
8) Regularly monitor firewall logs.
9) Document all firewall rule changes.
What is Packet filtering firewall
Stateless
- Filters packet content, Layer 3 and sometimes Layer 4 information
- Firewall makes decision based on packet header
What is Stateful firewall
Stateful Inspection
- Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state
- Keep state information about transactions (Connection)
What is Application gateway firewall
proxy firewall
Filters information at Layers 3, 4, 5 & 7
