Posted Below

DrunkenCheetha

chapter7.pptx

Home >Information Systems homework help >Posted Below

Network Security, Firewalls,

and VPNs

Week 2

Firewall Fundamentals

www.jblearning.com

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Learning Objectives

Describe the fundamental functions performed by firewalls

Manage and monitor firewalls, and understand their limitations.

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Key Concepts

Types, features, and functions of firewalls

Software-based and hardware-based firewalls

Filtering and port control strategies and functions

Firewall rules and their application in restricting and permitting data transit

The limitations and weaknesses of firewalls, and how they introduce vulnerabilities

Resolving conflicts between blocked ports and firewall rules

Improving firewall performance

Firewall logging and monitoring techniques

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

IP Address Classes

Class	Start – End Addresses	Number of Hosts per Network	Number of Networks	Number of Network Bits	Number of Hosts Bits	Subnet Mask
A	1.0.0.0 – 126.255.255.255	16 Million	127	8 bits	24 bits	255.0.0.0
B	128.0.0.0 – 191.255.255.255	65,000	16,000	16 bits	16 bits	255.255.0.0
C	192.0.0.0 – 223.255.255.255	254	2 Million	24 bits	8 bits	255.255.255.0
D	Reserved for Multicast Groups
E	Reserved for future use or R & D

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Public Addresses

Finite number of addresses available

Issued by Internet Assigned Numbers Authority (IANA)

Controlled at the regional level by Regional Registry Entry

Direct communication with the Internet

Required for Internet-facing applications

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Private Addresses

Reserved IP space

Class A: 10.0.0.1-10.255.255.255

Class B: 172.16.0.0-172.31.255.255

Class C: 192.168.0.0-192.168.255.255

Can be reused on internal networks

Isolated from Internet

Need to use network address translation (NAT) to communicate with Internet

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

What Is a Firewall?

A network traffic control device or service

Enforces network security policy

Protects the network against external attacks

Establishes control over network traffic

Prevents connections from unauthorized sources to protected network systems, services, and resources

Firewall Analogy

Bouncer at a night club with a guest list that defines specific names or types of individuals allowed in or specifically prohibited from the club

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

What a Firewall Cannot Do

Is not authentication systems

Is not a remote access server

Cannot see contents of encrypted traffic

Is not a malicious code scanner

Cannot protect against threats from removable media

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Types of Firewalls

Multi-Homed

Screening

Stateless

Stateful

Application Proxy

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

A Firewall on a Network

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Bastion Host Firewall Implementation

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Stateless Inspection

Maintain no “state tables” for active connections

Frames are treated individually rather than collectively

Filtering decisions are based on static addresses and port numbers

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Stateless firewalls maintain no “state tables” for active connections.

Unaware of session stream details for connection-oriented protocols

Frames are treated individually rather than collectively.

Cannot distinguish between packets in ongoing connections and rogue packets

Filtering decisions are based on static addresses and port numbers.

Pass (allow) or block (deny) traffic based on well-known connection values

8/30/20

Stateful Inspection

Maintain records of active connections

Pass (allow) and block (deny) decisions based on packets belonging to legitimate connection streams

Looks for packets that do not belong to authorized sessions

Advanced stateful firewalls track session endpoints

Retain additional state details, such as acknowledgement numbers and sequence numbers

Connectionless traffic is not “stateful” and therefore firewall state management does not apply

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Stateful firewalls maintain records of active connections to determine whether or not packets are part of existing sessions.

Pass (allow) and block (deny) decisions are based on packets belonging to legitimate connection streams.

Once a session is established, the firewall looks for packets that do not belong to authorized sessions.

Advanced stateful firewalls track session endpoints and retain additional state details, such as acknowledgement numbers and sequence numbers.

Connectionless traffic is not “stateful” and therefore firewall state management does not apply.

8/30/20

Advantages of Stateful Filtering

Keeping “state” observes network connections between points

Provide efficient packet inspection

Lack of “stateful record keeping” could result in breaking of legitimate connections

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Keeping “state” observes network connections between points

Most session-oriented protocols use random source ports.

State tracking adjusts and adapts to real-time traffic conditions.

State tracking watches end-to-end traffic streams, session-oriented start-up and tear-down.

State tracking treats packets collectively (start to finish) rather than individually.

State tracking has high operational overhead, robust rule configurations

Stateful firewalls provide efficient packet inspection.

Existing connections are checked against state table.

Computationally-intensive firewall filter lookup are avoided

Lack of “stateful record keeping” could result in breaking of legitimate connections.

Arbitrary source ports to well-known service destinations get dropped.

8/30/20

Firewall Filtering Types and Strategies

Stateful and stateless inspection

Stateful multilayer inspection

Proxy servers respond to connection requests between clients and servers

Network Address Translation (NAT)

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Stateful multi-layer inspection

Inspects packet headers and payloads

Offers complete view of the entire seven-layer OSI protocol stack

Examines setup, state, and teardown of connection-oriented protocols

Stateful and stateless inspection

Tracking connection states to separate legitimate from questionable traffic

Proxy servers respond to connection requests between clients and servers.

Separates and isolates external and internal network endpoints

Circuit proxy (circuit-level firewall) monitor TCP handshakes to track sessions.

Application proxy filters by protocol content to enforce safe application behavior.

Network address translation (NAT)

Separates and isolates external and internal network endpoints

Maps several internal addresses to a common external address

8/30/20

Firewall Filtering Types and Strategies

Ingress/egress filtering

Packet filtering examines network protocol headers and parameters

Content filtering focuses on network protocol payloads

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Ingress/egress filtering

Monitoring and filtering directional inbound and outbound traffic

Packet filtering examines network protocol headers and parameters.

Static packet filtering (stateless) uses a fixed set of rules to filter network traffic.

Dynamic packet filtering (stateful) watches connection states to filter traffic.

Operates at the lowest OSI protocol layers

Content filtering focuses on network protocol payloads.

Intercepts and investigates packet content before it enters or leaves the network.

Concentrates on domain names, URLs, file names and extensions.

Administratively block unauthorized download resources and Web sites.

Operates at the higher OSI protocol layers

8/30/20

Exploitable Programming Bugs

Firewalls run software

Bugs are result of human error in the software

Once discovered, bugs are typically addressed and corrected in software patches

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Buffer Overflow

Memory-based attack

Typically a result of poor programming

Can result in code injection

Used for systems crashing

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Fragmentation

Overlapping

Full or partial overlapping datagrams

Overrun

Excessively large datagrams

Potential result in denial of service

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Fragmentation and Overlapping

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Firewalking

Attacker learns firewall configuration systematically

Can occur from inside or outside the firewall

Takes advantage of internally known good IP address

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Internal Code Planting

Requires access from inside the network environment

Involves either a hacker or a user placing malicious code onto internal systems

Assumes the firewall has lenient outbound traffic restrictions

Results in internally initiated connections connecting to malicious internet presence

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Denial of Service (DoS)

Flooding attack that overwhelms systems

Often causes system shut down or failure

May manifest as performance problems

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Encrypted Transport

Two main forms of communication encryption

tunnel mode

transport mode

Tunnel mode encrypts the original payload and header

Transport mode encrypts only the payload

Firewall cannot filter encrypted data

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

A firewall is typically not the intended destination or direct communication partner of a communication, especially encrypted communications. Thus, any encrypted data cannot be filtered by a firewall.

Two main forms of transaction or communication encryption apply: tunnel mode and transport mode. Tunnel mode encrypts the

entire original payload and header, while transport mode only encrypts the payload. In tunnel mode, a temporary header goes with the encrypted packet to guide its path across the VPN tunnel. In transport mode, the original header remains in plain text.

Filtering on the transport mode header is a viable option, as this is the same filtering and the same header in the packet was not transport mode encrypted. Thus, any header-only filtering rules could still apply to transport mode-encrypted communications. However, any filtering that required an examination of the payload will be rendered null.

When building or designing firewall filtering rules, you must make a choice about how to handle encrypted content. Consider both the valid and invalid reasons for content encryption. The organization can choose to support or allow encryption of specific types over specific protocols or ports, but disallow and prevent encrypted communications elsewhere. Encryption for Web communications and e-mail exchanges are often acceptable, while other transactions with the Internet might not be encrypted.

When designing the firewall rules, the management of encrypted traffic can range from full allowance to full denial. Whether to allow encryption over a specific port but not another and whether to allow encryption all the time, for only certain users, or for no one are common issues your organization needs to address and plan for.

8/30/20

Encrypted Transport

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Encrypted Transport (cont.)

May choose to support or allow encryption of specific types over specific protocols or ports, but disallow and prevent encrypted communications elsewhere

Firewall rules of encrypted traffic can range from full allowance to full denial

May allow encryption over a specific port or only certain users

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Example: Encrypt Web communications and e-mail, do not encrypt other Internet communications

8/30/20

Gateway Bottlenecks

Gateway or pass-through firewall can become a bottleneck during high-traffic periods

DoS attack can consume all processing capabilities of the firewall

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Malware Scanning

Benefits

Scanning for various malware: viruses, trojans, spam, spyware, etc.

Drawbacks:

Potential of negative impact on performance

Wirespeed performance

Memory and CPU implications

Requires regular maintenance and update

Feature set may not be comparable to other dedicated solutions or may not complement current mechanisms

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

IDS and IPS

Benefits

Logical pairing of functionality

Reduction in administrative overhead of maintaining multiple devices

Drawbacks

Potential performance implications

Wirespeed

Possible feature set limitations

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Unified Threat Management (UTM)

Benefit

Single device performs firewall filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, detailed logging, more

Drawback

Can be single point of failure

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Firewall Rules

Sometimes called a filter or access control list (ACL)

An instruction set that indicates how a firewall should take action on a particular type of network traffic

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Firewall Rules General Guidelines

Direction matters – validate source and target addresses

Deny-all rule always goes at the bottom of the list

Denial exceptions go at the top of the list

Rules pertaining to more common traffic belong closer to the top of the list

Keep the number of rules to a minimum

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Direction matters

Be sure to validate that the source and target addresses have been identified correctly

Deny All rule always goes at the bottom of the list

Denial exceptions go at the top of the list

Rules pertaining to more common traffic belong closer to the top of the list

Keep the number of rules to a minimum

8/30/20

Ports

What ports should be allowed?

443

Any required environmentally specific application ports

What ports should be blocked?

All others with a deny-all rule

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Firewall Rule Example

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Direction matters

Be sure to validate that the source and target addresses have been identified correctly

Deny All rule always goes at the bottom of the list

Denial exceptions go at the top of the list

Rules pertaining to more common traffic belong closer to the top of the list

Keep the number of rules to a minimum

8/30/20

Firewall Rule Components

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Base protocol

Source address

Source port

Target address

Target port

Action

Firewall Rule Structure

Common structure

Source address and port often set as ANY unless rule applies to specific system or port

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Firewall Rule Example 2

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Firewall Rule Example 2 (Cont.)

Allow response to TCP connections to internal hosts

Prevent the firewall (192.168.42.1) from directly connecting to anything

Prevent external hosts from directly accessing the firewall

Allow internal hosts to access external resources

Allow external hosts to send e-mail inbound to the e-mail server at 192.168.42.55

Allow external hosts to access an internal Web server at 192.168.42.98

Apply a default-deny rule to all traffic not matching a previous exception

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Application Gateway Overview

An application proxy, or application gateway, is like a packet filter but focuses more deeply on application protocol behaviors

Acts as middleman between client and server

Firewall and proxy combination achieves defense-in-depth strategy

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Application Gateway as a Packet Filter

Static packet filters only inspect packet headers and segments

Application proxy can fully inspect traffic up to the application payload

Operates at any layer of the TCP/IP reference model

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Application Gateway as a Middleman

All application-specific communications are handled between client and server

Maintains separate connections between client and server (“firewalling”)

Not transparent: client is configured for proxy use, and therefore aware of it

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Application Gateway Defense-in-Depth

Firewall and proxy combination achieves defense-in-depth strategy

Application proxies filter on content in the application layer payload

Network firewalls filter on lower-level protocol properties

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Network Circuit Proxy

A circuit proxy or circuit-level firewall filters on connection-oriented startup

Observes initial setup of a circuit, session, or state

Once connected, a circuit is no longer filtered traffic

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Circuit Proxy Filtering Rules

Circuit proxy filtering rules are similar to static packet filtering

Static values determine what circuits and connections are allowed

Filters can be set to default deny or default allow

Generally faster than application-layer firewalls due to fewer packet evaluations

Useful for connection-oriented protocols that perform TCP/IP handshakes

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Network Address Translation (NAT)

Translates internal addresses to external addresses

Creates one-to-many mappings

Allows you to bypass individual IP assignments from an ISP

Conceals internal machines from external world

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

NAT translates internal addresses to external addresses.

NAT creates one-to-many mappings to extend IP address class availability and share a common Internet connection among several “hidden” hosts.

NAT allows you to bypass individual IP assignments from an ISP.

Create choke points through which all traffic must pass.

Reduce cost by using a single Internet IP among several internal computers.

Extend “full” IP address class ranges to smaller, separate network segments.

NAT conceals internal machines from the external world.

Keep private systems hidden from external access or view.

Let multiple internal connections appear to originate from one external system.

8/30/20

Caching

Holds often-accessed content in storage or memory on firewall

Content retrieved from cache instead of original source

Transforms firewall into a proxy server of sorts

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Load Balancing

Distributes firewall filtering workload across multiple parallel firewalls

Provides redundancy, fault tolerance

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Ingress/Egress Filtering Common Rules on Firewalls

Access to insecure Internet Web sites (HTTP)

Access to secure Internet Web sites

HTTP over SSL or TLS

Access to other Internet Web site protocols

SQL and Java

Inbound Internet e-mail

Outbound Internet e-mail

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Ingress/Egress Filtering

External entities initiating connection

Inbound rules when an internal resource is specifically hosted for the purposes of being accessed by external entities

Use a single IP address for a single host

Correct subnet or range designation for a collection of hosts

Specify the port when possible

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Don’t allow external entities to initiate a connection unless you are running internal services, such as a Web server

Inbound rules are needed only when an internal resource is specifically hosted for the purposes of being accessed by external entities

Use a single IP address for a single host and the correct subnet or range designation for a collection of hosts

Specify the port when possible, otherwise use a valid port range

8/30/20

Ingress/Egress Filtering Communications Commonly Blocked

All ICMP traffic originating from the Internet

Any traffic directed specifically to the firewall

Any traffic to known closed ports

Any traffic to known ports of known malware

Inbound TCP 53 to block external DNS zone transfer requests

Inbound UDP 53 to block external DNS user queries

Any traffic from IP addresses on a blacklist

Any traffic from internal IP addresses that are not assigned

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Software Firewalls

Software firewalls are installed on host computers

Built-in Windows Firewall or Linux packet filter

Competes for shared resources on the host computer

Static placement filters only connections made from/to the host

Protect only one system on the network, unless forwarding IP traffic

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Hardware Firewalls

Hardware firewalls are installed on dedicated devices

Firewall appliances and dedicated routers with firewall services

Strategic placement throughout the network filters end-to-end connections

Stand-alone unit can protect multiple systems on the network

Optimized for network performance

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Combination

Achieve defense-in-depth by combining hardware and software firewalls

Layered protection at the network and host levels by separate firewalls

Especially practical for mobile employees that telecommute to work

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Host-Based Firewalls

Host-based firewalls protect only the local computer

Filters traffic passing through the local system only

Can filter traffic for other systems, such as Windows Internet Connection Sharing

Host-based “personal” software firewalls

Not optimized for firewall filtering

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Network-Based Firewalls

Span an entire network

Filter all traffic passing in and out of network or network segment

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Can filter between other networks and systems

Commercial or corporate firewalls

Optimized for network-wide firewall filtering

Incorporate enterprise-grade network services

VPN

Enterprise-class encryption protocols

Enterprise-class security services

8/30/20

Single-Homed Firewalls

Single-homed firewalls have only one network interface

No physical isolation between internal and external networks

Ideal separation between host and network

Cannot provide sentry services between network segments

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Multi-Homed Firewalls

Multi-homed means more than one network interface

Dual- or triple-homed

Filter local traffic on an internal network interface

Filter remote traffic on an external network interface

Filter traffic between internal and external interfaces

Create electronic isolations among segments, subnets, and networks

Ideal network separation with sentry services between networks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Logging and Monitoring

Why log?

Validation that firewall rules are configured properly

Historical tracking and trend analysis

Reactive tracking and tracing to attacks

What data should be logged?

All connection rejections

All traffic to successfully transverse through the firewall

Firewall configuration changes

Access to the firewall system

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Logging and Monitoring (cont.)

Monitoring allows for alerting

Alerting allows for prompt response

Review log files regularly!

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Summary

Types, features, and functions of firewalls

Software-based and hardware-based firewalls

Filtering and port control strategies and functions

Firewall rules and their application in restricting and permitting data transit

The limitations and weaknesses of firewalls, and how they introduce vulnerabilities

Resolving conflicts between blocked ports and firewall rules

Improving firewall performance

Firewall logging and monitoring techniques

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

8/30/20

Virtual Labs

Configuring a pfSense Firewall for the Server

Penetration Testing a pfSense Firewall

Chapters 2 & 7

Required Reading

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Use the following script to introduce the first lab for this lesson:

“In this lesson, you explored the basic functions of firewalls and learned how firewalls fit into the network security framework. You also examined firewall filtering, port control strategies, and the implications of encryption, along with firewall monitoring and logging.

In the first lab for this lesson, Configuring a pfSense Firewall for the Server, In the lab for this lesson, Configuring a pfSense Firewall for the Server, you will use Network Address Translation, or NAT, to bind a public Internet address to an internal server. Then you will configure the firewall to allow limited access to services, such as HTTP, DNS, and SMTP, hosted on the internal server.”

Use the following script to introduce the second lab for this lesson:

One method organizations use to check whether a firewall is adequately protecting the network is to perform a penetration test. Penetration testing, or pen testing for short, tests the strengths and weaknesses of IT security, as well as the readiness of a facility and its employees to respond to an attack. Penetration testers use the same methods as hackers to try to penetrate a system or network. The difference is that penetration testing is performed by trusted employees or licensed pen testers. The process includes reconnaissance, scanning, vulnerability analysis (enumeration), exploitation (the actual attack), and post-attack activities, including remediation of the vulnerabilities. Before attacking a system, the pen tester uses an automated tool or set of tools to scan for and identify vulnerabilities to exploit.

In the lab for this lesson, Penetration Testing a pfSense Firewall, you will configure a basic pfSense Firewall on a virtual machine in preparation for a penetration testing scenario. Then, you will use OpenVAS to check for vulnerabilities on a virtual Windows server, and craft a plan to reduce or eliminate those vulnerabilities.”

8/30/20