Firewall Basics and Security

Firewall Basics

• A firewall is a system that protects a network from unauthorized access by controlling incoming and outgoing network traffic based on predetermined security rules.
• Firewalls can be hardware, software, or a combination of both.
• The principle of least privilege is a best practice for firewall administration, allowing only necessary access to the administrative interface.
• Another best practice is to only allow necessary traffic, referring to relevant application/system documentation to understand the implications of exposing a particular service.
• Consider inbound and outbound traffic when implementing firewall rules.

Firewall Best Practices

• Trust, but verify: scan firewalls before and after changes to ensure the desired effect.
• Regular vulnerability assessments should be conducted against firewalls to ensure inadvertent changes have not been made.
• Change management is crucial to reduce risks, involving all relevant stakeholders, testing, and having a backout plan.
• Document all changes and refer to this documentation in the firewall itself.
• Regularly review and clean up firewall rules and exceptions to reduce the network attack surface.
• Ensure firewall logging is enabled and regularly review logs to identify potential attacks.
• Configure alerting to ensure suspicious traffic or patterns are investigated quickly.

Host Firewalls

• Windows Firewall is a built-in firewall that can be used to block or allow ports, applications, and services.
• Windows Firewall includes three profiles: Domain, Private, and Public.
• Developers can use public APIs to determine the current profile and enable firewall rules based on specific profiles.
• System administrators can use Group Policy to ensure firewall rules are more secure when Windows computers are on public networks.

Netfilter

• Netfilter is a packet filtering framework built into the Linux kernel, offering stateless and stateful packet filtering, NAT, and PAT.
• Netfilter uses kernel hooks to inspect or manipulate packets.
• iptables is a standard firewall that interfaces with the kernel-level netfilter hooks and is used to configure and view tables of packet filter rules.
• Rules in iptables specify characteristics a packet must match, such as protocol type, source address, and destination port.
• Targets in iptables specify what to do with packets that match a rule, such as ACCEPT, DROP, or RETURN.
• Chains in iptables are collections of rules that a packet is checked against sequentially.

pfSense

• pfSense is an open-source firewall and router software distribution based on FreeBSD.
• pfSense features include stateful packet inspection, DHCP, DNS, NAT, VPN server, high availability, load balancing, traffic shaping, and more.
• pfSense is available on a variety of hardware or can be purchased on pre-configured appliances.

TCP Review

• TCP is a connection-oriented protocol that begins with a three-way handshake.
• The three-way handshake involves the client sending a SYN packet, the server responding with a SYN/ACK, and the client responding with an ACK.
• TCP connections can be in various states, including LISTEN, ESTABLISHED, and TIME-WAIT.
• TCP port states include open, closed, and filtered.

Security Concepts Review

• The CIA triad consists of confidentiality, integrity, and availability.
• Identification is an assertion of who someone is, or what something is.
• Authentication is the verification of an identification claim.
• Certificate expiry is a trade-off between convenience and security.
• VPNs securely extend private networks across public networks, enabling users and applications to connect to private resources as if they were locally connected to the private network.
• The need for VPNs arises from the need to access internal resources while outside the office, and the need to protect sensitive data from exposure and interception.### Site-to-Site VPN
• A tunnel configured between two devices to connect remote locations securely over the Internet
• Encrypts data to provide confidentiality
• Transparent to client applications and backend servers

Internet Protocol Security (IPsec)

• A suite of protocols used to manage encrypted communication tunnels
• Provides authentication, confidentiality, and integrity
• Operates at Layer 3 of the OSI model
• Uses encryption algorithms (e.g. DES, IDEA) and hashing algorithms (e.g. MD5, SHA)
• Components: Authentication Header (AH), Encapsulating Security Payload (ESP), Security Associations (SA)

IPsec Components

• Authentication Header (AH)
  • Provides authentication and data integrity
  • Acts as a digital signature for data
  • Protects against replay attacks
• Encapsulating Security Payload (ESP)
  • Provides origin authenticity, integrity, and confidentiality
  • Encrypts packet data
  • Optionally provides authentication and data integrity
• Security Associations (SA)
  • Used to establish shared security settings related to algorithms and keys

Internet Key Exchange (IKE)

• Used to set up a Security Association (SA) in the IPsec protocol suite
• Creates VPN tunnels and manages keys used to encrypt and decrypt data
• Conducts a two-phase negotiation process using authentication and encryption algorithms

IKE Phases

• Phase 1: Negotiates encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group
• Phase 2: Negotiates shared-secret key material and an additional Diffie-Hellman exchange

IPsec Modes of Operation

• Tunnel mode: Encrypts and authenticates the entire IP packet
• Transport mode: Encrypts and authenticates only the payload of the IP packet

IPsec Disadvantages

• Can be complicated to configure and troubleshoot
• Some clients only support older protocols and algorithms
• SHA1 is prone to attacks
• MS-CHAPv2 contains several weaknesses

OpenVPN

• Open-source software that implements a VPN
• Allows peers to authenticate each other using pre-shared keys, certificates, or usernames/passwords
• Creates a Layer 2 or Layer 3 connection
• Uses OpenSSL library to handle key exchange via SSL/TLS
• Uses a custom security protocol based on TLS
• Works through NAT and proxies

OpenVPN Server Modes

• Remote Access (SSL/TLS + User Auth): Requires both certificates and usernames/passwords
• Remote Access (SSL/TLS): Requires certificates only
• Remote Access (User Auth): Requires usernames/passwords only

Check Point

• SmartConsole is a graphical user interface used to manage network elements, servers, and gateways
• Objects are used to represent network components
• Blades refer to individual software or hardware components that make up the security infrastructure

Palo Alto

• Security zones allow for granular policy-based control
• Security policies are enforced by configuring rules on the firewall
• Objects represent physical and virtual network components
• Tags are color-coded labels assigned to items throughout the firewall configuration
• Running and candidate configurations are used to manage firewall configurations

Security Policy Fundamental Concepts

• All traffic passing through the data plane of the firewall is matched against a security policy
• Policy rules are defined using zones, applications, addresses, users, and host information profiles (HIP profiles)
• Policy rules are directional, but replies are always allowed
• If traffic will be initiated from both zones, two policies are required

Network Address Translation (NAT)

• In Palo Alto, NAT is performed based on the perspective of the NAT device (the firewall)
• Source NAT modifies the source address and is commonly used by internal clients with private IP addresses when they access hosts on the internet
• Destination NAT modifies the destination address and is used to provide hosts on the internet access to private (internal) servers### Configuring Standard ACLs
• Standard ACLs can be used to filter traffic based on source IP address.
• The command access-list {access-list-number | access-list-name} {in | out} is used to apply an ACL to an interface.
• access-list-number ranges from 1-99 or 1300-1999.
• access-list-name is a name given to the ACL.
• in applies the ACL to incoming traffic, while out applies it to outgoing traffic.

Standard ACL Examples

• A standard ACL can be used to block all traffic from a specific subnet to another subnet.
• Example: access-list 1 remark Blocks traffic from the 192.168.1.0/24 to 10.0.2.0/24
• access-list 1 deny 192.168.1.0 0.0.0.255 denies traffic from the specified subnet.

Configuring Extended ACLs

• Extended ACLs can be used to filter traffic based on source and destination IP addresses, protocols, and ports.
• The command access-list {access-list-number} permit {protocol} {source} {source-wildcard} {destination} {destination-wildcard} is used to configure an extended ACL.
• Protocols can be specified by name or number, such as tcp, udp, or icmp.
• Ports can be specified by name or number, such as www (port 80) or 22 (port 22).

Modifying ACLs

• ACLs can be modified by copying the ACL to a text editor, making changes, and then replacing the ACL on the router.
• Alternatively, ACL sequence numbers can be used to edit the ACL on the router.
• The ip access-list standard command is used to enter ACL configuration mode.

ACL Statistics

• The show access-lists command displays the number of times each ACE in the ACL was matched.
• The clear access-list counters command is used to reset the ACL statistics.

Securing VTY Lines

• A standard ACL can be used to secure VTY lines, allowing only hosts from an approved management subnet to connect.
• The access-class command is used to apply the ACL to the VTY lines.

Management Plane Password Protection

• Cisco IOS supports five password types: Type 0 (plaintext), Type 5 (MD5 hash), Type 7 (Vigenere cipher), Type 8 (PBKDF2 with SHA-256), and Type 9 (SCRYPT).
• Local authentication is recommended for managing device access.
• The username command is used to configure usernames and passwords on the device.

Privilege Levels and Role-Based Access Control

• Cisco IOS includes five default privilege levels: 0, 1, 15, and custom levels 2-14.
• Privilege levels can be used to control access to device commands.
• The privilege command is used to configure custom privilege levels.

Improving Management Plane Security

• Insecure remote management protocols like HTTP and Telnet should be avoided.
• Secure protocols like HTTPS and SSH should be used instead.
• The transport input ssh command is used to enable SSH on the device.
• SSH relies on an RSA certificate for encryption.
• The crypto key generate rsa command is used to generate an RSA certificate.

Zone-Based Firewall (ZBFW)

• ZBFW is a stateful firewall technology included in IOS.
• ZBFW uses security zones to simplify configuration.
• Two system-built zones are included: the Self Zone and the Default Zone.
• Additional zones can be configured by the administrator.