Firewall Basics and Security

Questions and Answers

What is the most effective way to secure the Internet link?

Encrypting all network traffic

Using hardware or software firewall (correct)

Implementing network antivirus software

Disabling all network ports

The Principle of _____ states that firewall administration should only allow users the privileges they require to do their jobs.

Least Privilege

Regularly reviewing firewall rules to remove unnecessary ones helps reduce the network attack surface.

True

What tool can be used to scan firewall changes before and after to verify the expected outcome?

nmap

What is the default IPsec mode that encrypts and authenticates the entire IP packet and encapsulates it into a new IP header?

Tunnel mode

What types of authentication methods are allowed by OpenVPN? (Select all that apply)

Username/password

Transport mode in IPsec is used for protecting data between hosts on different networks.

False

Match the following statements with the correct IPsec mode:

Encrypts and authenticates the entire IP packet = Tunnel mode Used for end-to-end communications on the same network = Transport mode

What is pfSense?

pfSense is an open-source firewall and router software distribution based on FreeBSD.

Which feature is not offered by pfSense?

Data encryption

PfSense can only be installed on specific hardware.

False

TCP connections end with the session being ____________.

terminated

Match the following components with their purposes:

Authentication Header (AH) = Provides authentication and data integrity Encapsulating Security Payload (ESP) = Provides integrity and confidentiality by encrypting packet data Internet Key Exchange (IKE) = Sets up Security Associations in the IPsec protocol suite

What is the purpose of a VPN?

VPNs securely extend private networks across public networks, enabling users and applications to connect to private resources as if they were locally connected to the private network.

What is a recommended step when configuring an ACL?

Use a text editor to write out the policy

What command is used to apply a standard ACL to an interface for filtering traffic?

ip access-group

What is the keyword that can be recognized by Cisco IOS in place of a 255.255.255.255 mask? Use '___' in place of the blank.

any

Type 8 passwords in Cisco IOS are encrypted with PBKDF2 and are considered uncrackable.

True

What is the benefit of using local authentication over line-based passwords?

Accounts can have privileges associated with them

Privilege Level 15 in Cisco IOS is also known as User EXEC mode.

False

What is the purpose of configuring the transport input ssh command on a router?

To specify that only SSH should be used for remote device access

SSH relies on an _ certificate to ensure session privacy.

RSA

Match the security best practices with their descriptions:

Auxiliary Port Configuration = Disable aux port with no exec command EXEC Timeout Configuration = Terminate session after period of inactivity Absolute Timeout Configuration = Terminate session after configured time Logout-Warning Configuration = Warn users about impending logout

Study Notes

Firewall Basics

• A firewall is a system that protects a network from unauthorized access by controlling incoming and outgoing network traffic based on predetermined security rules.
• Firewalls can be hardware, software, or a combination of both.
• The principle of least privilege is a best practice for firewall administration, allowing only necessary access to the administrative interface.
• Another best practice is to only allow necessary traffic, referring to relevant application/system documentation to understand the implications of exposing a particular service.
• Consider inbound and outbound traffic when implementing firewall rules.

Firewall Best Practices

• Trust, but verify: scan firewalls before and after changes to ensure the desired effect.
• Regular vulnerability assessments should be conducted against firewalls to ensure inadvertent changes have not been made.
• Change management is crucial to reduce risks, involving all relevant stakeholders, testing, and having a backout plan.
• Document all changes and refer to this documentation in the firewall itself.
• Regularly review and clean up firewall rules and exceptions to reduce the network attack surface.
• Ensure firewall logging is enabled and regularly review logs to identify potential attacks.
• Configure alerting to ensure suspicious traffic or patterns are investigated quickly.

Host Firewalls

• Windows Firewall is a built-in firewall that can be used to block or allow ports, applications, and services.
• Windows Firewall includes three profiles: Domain, Private, and Public.
• Developers can use public APIs to determine the current profile and enable firewall rules based on specific profiles.
• System administrators can use Group Policy to ensure firewall rules are more secure when Windows computers are on public networks.

Netfilter

• Netfilter is a packet filtering framework built into the Linux kernel, offering stateless and stateful packet filtering, NAT, and PAT.
• Netfilter uses kernel hooks to inspect or manipulate packets.
• iptables is a standard firewall that interfaces with the kernel-level netfilter hooks and is used to configure and view tables of packet filter rules.
• Rules in iptables specify characteristics a packet must match, such as protocol type, source address, and destination port.
• Targets in iptables specify what to do with packets that match a rule, such as ACCEPT, DROP, or RETURN.
• Chains in iptables are collections of rules that a packet is checked against sequentially.

pfSense

• pfSense is an open-source firewall and router software distribution based on FreeBSD.
• pfSense features include stateful packet inspection, DHCP, DNS, NAT, VPN server, high availability, load balancing, traffic shaping, and more.
• pfSense is available on a variety of hardware or can be purchased on pre-configured appliances.

TCP Review

• TCP is a connection-oriented protocol that begins with a three-way handshake.
• The three-way handshake involves the client sending a SYN packet, the server responding with a SYN/ACK, and the client responding with an ACK.
• TCP connections can be in various states, including LISTEN, ESTABLISHED, and TIME-WAIT.
• TCP port states include open, closed, and filtered.

Security Concepts Review

• The CIA triad consists of confidentiality, integrity, and availability.
• Identification is an assertion of who someone is, or what something is.
• Authentication is the verification of an identification claim.
• Certificate expiry is a trade-off between convenience and security.
• VPNs securely extend private networks across public networks, enabling users and applications to connect to private resources as if they were locally connected to the private network.
• The need for VPNs arises from the need to access internal resources while outside the office, and the need to protect sensitive data from exposure and interception.### Site-to-Site VPN
• A tunnel configured between two devices to connect remote locations securely over the Internet
• Encrypts data to provide confidentiality
• Transparent to client applications and backend servers

Internet Protocol Security (IPsec)

• A suite of protocols used to manage encrypted communication tunnels
• Provides authentication, confidentiality, and integrity
• Operates at Layer 3 of the OSI model
• Uses encryption algorithms (e.g. DES, IDEA) and hashing algorithms (e.g. MD5, SHA)
• Components: Authentication Header (AH), Encapsulating Security Payload (ESP), Security Associations (SA)

IPsec Components

• Authentication Header (AH)
  • Provides authentication and data integrity
  • Acts as a digital signature for data
  • Protects against replay attacks
• Encapsulating Security Payload (ESP)
  • Provides origin authenticity, integrity, and confidentiality
  • Encrypts packet data
  • Optionally provides authentication and data integrity
• Security Associations (SA)
  • Used to establish shared security settings related to algorithms and keys

Internet Key Exchange (IKE)

• Used to set up a Security Association (SA) in the IPsec protocol suite
• Creates VPN tunnels and manages keys used to encrypt and decrypt data
• Conducts a two-phase negotiation process using authentication and encryption algorithms

IKE Phases

• Phase 1: Negotiates encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group
• Phase 2: Negotiates shared-secret key material and an additional Diffie-Hellman exchange

IPsec Modes of Operation

• Tunnel mode: Encrypts and authenticates the entire IP packet
• Transport mode: Encrypts and authenticates only the payload of the IP packet

IPsec Disadvantages

• Can be complicated to configure and troubleshoot
• Some clients only support older protocols and algorithms
• SHA1 is prone to attacks
• MS-CHAPv2 contains several weaknesses

OpenVPN

• Open-source software that implements a VPN
• Allows peers to authenticate each other using pre-shared keys, certificates, or usernames/passwords
• Creates a Layer 2 or Layer 3 connection
• Uses OpenSSL library to handle key exchange via SSL/TLS
• Uses a custom security protocol based on TLS
• Works through NAT and proxies

OpenVPN Server Modes

• Remote Access (SSL/TLS + User Auth): Requires both certificates and usernames/passwords
• Remote Access (SSL/TLS): Requires certificates only
• Remote Access (User Auth): Requires usernames/passwords only

Check Point

• SmartConsole is a graphical user interface used to manage network elements, servers, and gateways
• Objects are used to represent network components
• Blades refer to individual software or hardware components that make up the security infrastructure

Palo Alto

• Security zones allow for granular policy-based control
• Security policies are enforced by configuring rules on the firewall
• Objects represent physical and virtual network components
• Tags are color-coded labels assigned to items throughout the firewall configuration
• Running and candidate configurations are used to manage firewall configurations

Security Policy Fundamental Concepts

• All traffic passing through the data plane of the firewall is matched against a security policy
• Policy rules are defined using zones, applications, addresses, users, and host information profiles (HIP profiles)
• Policy rules are directional, but replies are always allowed
• If traffic will be initiated from both zones, two policies are required

Network Address Translation (NAT)

• In Palo Alto, NAT is performed based on the perspective of the NAT device (the firewall)
• Source NAT modifies the source address and is commonly used by internal clients with private IP addresses when they access hosts on the internet
• Destination NAT modifies the destination address and is used to provide hosts on the internet access to private (internal) servers### Configuring Standard ACLs
• Standard ACLs can be used to filter traffic based on source IP address.
• The command access-list {access-list-number | access-list-name} {in | out} is used to apply an ACL to an interface.
• access-list-number ranges from 1-99 or 1300-1999.
• access-list-name is a name given to the ACL.
• in applies the ACL to incoming traffic, while out applies it to outgoing traffic.

Standard ACL Examples

• A standard ACL can be used to block all traffic from a specific subnet to another subnet.
• Example: access-list 1 remark Blocks traffic from the 192.168.1.0/24 to 10.0.2.0/24
• access-list 1 deny 192.168.1.0 0.0.0.255 denies traffic from the specified subnet.

Configuring Extended ACLs

• Extended ACLs can be used to filter traffic based on source and destination IP addresses, protocols, and ports.
• The command access-list {access-list-number} permit {protocol} {source} {source-wildcard} {destination} {destination-wildcard} is used to configure an extended ACL.
• Protocols can be specified by name or number, such as tcp, udp, or icmp.
• Ports can be specified by name or number, such as www (port 80) or 22 (port 22).

Modifying ACLs

• ACLs can be modified by copying the ACL to a text editor, making changes, and then replacing the ACL on the router.
• Alternatively, ACL sequence numbers can be used to edit the ACL on the router.
• The ip access-list standard command is used to enter ACL configuration mode.

ACL Statistics

• The show access-lists command displays the number of times each ACE in the ACL was matched.
• The clear access-list counters command is used to reset the ACL statistics.

Securing VTY Lines

• A standard ACL can be used to secure VTY lines, allowing only hosts from an approved management subnet to connect.
• The access-class command is used to apply the ACL to the VTY lines.

Management Plane Password Protection

• Cisco IOS supports five password types: Type 0 (plaintext), Type 5 (MD5 hash), Type 7 (Vigenere cipher), Type 8 (PBKDF2 with SHA-256), and Type 9 (SCRYPT).
• Local authentication is recommended for managing device access.
• The username command is used to configure usernames and passwords on the device.

Privilege Levels and Role-Based Access Control

• Cisco IOS includes five default privilege levels: 0, 1, 15, and custom levels 2-14.
• Privilege levels can be used to control access to device commands.
• The privilege command is used to configure custom privilege levels.

Improving Management Plane Security

• Insecure remote management protocols like HTTP and Telnet should be avoided.
• Secure protocols like HTTPS and SSH should be used instead.
• The transport input ssh command is used to enable SSH on the device.
• SSH relies on an RSA certificate for encryption.
• The crypto key generate rsa command is used to generate an RSA certificate.

Zone-Based Firewall (ZBFW)

• ZBFW is a stateful firewall technology included in IOS.
• ZBFW uses security zones to simplify configuration.
• Two system-built zones are included: the Self Zone and the Default Zone.
• Additional zones can be configured by the administrator.

Description

Learn about the importance of firewalls in securing networks from intrusions and understanding the basics of firewalls, including hardware and software configurations.