Introduction to Firewalls PDF

Introduction to Firewalls Part 1 SRTY-3010 Security – Supporting the Edge Learning Outcomes Firewall Best Practices Types of Firewalls Concept of a Firewall Concept of a Firewall When connecting to the Internet, protecting the network against intrusion is of critical importance. The most effective way to secure the Internet link is to put a Firewall system between the local network and the Internet. Firewalls can be hardware, software or a combination of both which are configured to meet an organization’s security needs. The Firewall ensures that all communication between an organization’s network and the Internet conforms to the organization’s security policy. Firewall Best Practices Firewall Best Practices Some of the concepts we will be covering in our labs adhere to common best practices Best practices are well defined procedures known to produce optimum results In the case of firewalls, most best practices are related to increasing security and reducing risk Before implementing something as important as a firewall, it is important to consider the best practices that should be applied ISO 27002 provides a reference of best practices when implementing security controls Firewall Best Practices While working with firewalls, we should always be cognizant of these high-level security best practices: Principle of Least Privilege – Firewall administration Modern firewalls allow for multiple administrative users with varying degrees of access to the administrative interface. In cases where such access must be delegated for specific purposes, a best practice would be to only allow those users the privileges they require to do their jobs. Example: Individuals at the helpdesk need to view DHCP logs on the firewall for troubleshooting desktop issues. Solution: Create specific role on the firewall which gives the Helpdesk users read-only access to only the features they require. Firewall Best Practices Principle of Least Privilege – Firewall traffic rules and exceptions In the context of the implementation of a firewall which controls access between an untrusted network and a trusted network, a best practice would be to only allow the hosts/ports/applications necessary for the specific business requirement. Refer to relevant application/system documentation to fully understand the implications of exposing a particular service through a firewall Allowing only what is required is more secure than simply allowing an entire host, or large range of ports Consider inbound as well as outbound traffic Firewall Best Practices Example: Windows Server, Certificate Services By reviewing documentation we can clearly understand application firewalling requirements. Making guesses or mistakes can result in vulnerabilities or sensitive data being exposed through the firewall. Firewall Best Practices Often, software and hardware vendors will supply network diagrams to show traffic flow and port requirements Example: Microsoft Office Communications Server 2007 Specific functionality: External User Access More on DMZs later Firewall vendors themselves have such requirements documented as well Firewall Best Practices Firewall Best Practices Firewall Best Practices Perform regular risk assessments Attackers often take advantage of mistakes and oversights that happen when firewall changes are made but not verified. To ensure firewall changes have the desired effect, scanning the firewall before and after each change is recommended. Regardless of changes, regular vulnerability assessments should be conducted against firewalls to ensure inadvertent changes have not been made In our labs we will use nmap to scan before and after firewall changes to verify the expected outcome. Firewall Best Practices Change Management Changes to firewalls have the potential of increasing the risk to an organization A formal change management process can reduce these risks while still allowing required changes to be made “Change” definition: the addition, modification, or removal of any service that could have an effect on IT services Firewall Best Practices Best practices for firewall changes: Ensure changes are evaluated by all relevant stakeholders Leadership, information security, application/service stakeholders, auditors, risk Test before implementing Test the changes in a test network to ensure the changes will have the desired effect Have a backout plan in case changes do not go according to plan Make sure you can safely roll back changes Document all changes Document all aspects of the change, and refer to this documentation in the firewall itself (rule comments/notes) Firewall Best Practices Rule cleanup Over a period of time, Firewall exceptions can accumulate Regularly review firewall rules and exceptions and remove rules that are no longer necessary to reduce the network attack surface Clean up after troubleshooting In cases where more ports are opened during the troubleshooting of an issue, remember to revert any changes that were not needed to solve the issue. Firewall Best Practices Logging Ensure firewall logging is enabled and regularly review logs to identify potential attacks Ensure logs are preserved as long as possible so that attacks can be forensically investigated later. Most firewalls allow logs to be sent externally via SYSLOG Alerting Configure alerting to ensure suspicious traffic or patterns are investigated as quickly as possible Spend time to tune this so incident responders do not get “alert fatigue” Firewall Best Practices Patches and Updates Even security devices like firewalls are affected by software vulnerabilities Be aware of disclosed/patched system vulnerabilities Add yourself to vendor security email lists Firewall Best Practices Firewall Best Practices Secure remote management Ensure remote management is only possible over encrypted protocols such as HTTPS and SSH Require two-factor authentication for remote administration interfaces Only expose remote administration interfaces to trusted networks, such as the internal IT network segment, or the VPN Defer to company policy Those who are responsible for risk in an organization should define at a high level the organization’s information security risk tolerances. Having things like this defined ahead of time can take the guesswork out of potentially risky firewall changes, or give an administrator a good reason to deny requests that increase risk Introduction to Firewalls End of Part 1 SRTY-3010 Security – Supporting the Edge Introduction to Firewalls Part 2 SRTY-3010 Security – Supporting the Edge Types of Firewalls Static Packet Filtering A traditional firewall which has a very basic purpose: to control traffic entering in or exiting network interfaces. This could be implemented On a single host At or near a network gateway (device that allows data to flow from one network to another, typically a router or firewall with routing capabilities) Static Packet Filtering Each packet is evaluated one at a time using the following header information: Protocol Source IP address Destination IP address Source TCP/UDP port (although rarely used) Destination TCP/UDP port Compared to stateful packet inspection (discussed next), SPF firewalls make allow/deny decisions faster and require less resources. Static Packet Filtering Static Packet Filtering Static Packet Filtering Example: allow only packets with a destination port of 25 and a destination IP of 192.168.100.105, deny all other traffic. Example: allow only packets with a source IP of 10.0.2.0/24, deny all other traffic. Stateful Packet Inspection Stateful Packet Inspection was first introduced by Check Point in 1994. Stateful firewalls Look at a series of packets coming into or going out of a network Track the state and characteristics of network connections Packets belonging to active connections are allowed to pass through For pre-existing connections INTO a network, traffic related to those connections can also travel OUT of the network. In SPF, this would not be as easily accomplished and would require a second rule to allow the traffic back out. Stateful Packet Inspection Stateful firewalls can use connection and protocol information to apply extra security functions such as Network Address Translation (NAT), or Virtual Private Networks (VPNs) SPI allows a firewall to keep track of connections going through it Connections are tracked in a state table When new packets arrive, their contents are compared to the state tables to determine whether they are denied or permitted Stateful Packet Inspection SPF vs SPI Static Packet Filtering Stateful Packet Inspection Basic Advanced Can filter based on protocol, Can filter based on protocol, source/destination IP/port, packet context if source/destination IP/port related to existing connections Operates at network layer Operates at network layer and higher Does not track state of existing network Tracks the state of existing network connections connections in a state table Requires less resources Requires more resources Introduction to Firewalls End of Part 2 SRTY-3010 Security – Supporting the Edge Introduction to Firewalls Part 3 SRTY-3010 Security – Supporting the Edge Next Generation Firewall (NGFW) “Next Generation” firewalls are part of the third generation of firewall technology. NGFWs serve the same purpose as traditional firewalls, usually acting as a network gateway between networks or security zones. Along with being stateful for TCP connections, NGFWs can operate at various layers of the OSI model to apply security functionality. A key distinction is that they can operate at Layer 7 and have application awareness. Next Generation Firewall (NGFW) Like traditional firewalls, NGFWs can make filtering decisions based on source/destination IP, source/destination port, but can also filter based on applications, protocols and users. Example: block peer to peer file sharing Example: allow only HTTP/HTTPS and nothing else Example: allow HTTP, but do not allow file uploads Example: block all TLS connections that do not have a valid server certificate. Example: Allow members of the payroll department to access the internal payroll application server. Next Generation Firewall (NGFW) NGFWs typically require more resources to do their job. There could potentially be throughput limitations depending on what security features are enabled. Hardware tiers and software licensing levels may also limit the amount of activity an NFGW can handle. NFGWs can be very expensive, depending on the hardware and licensing options that are chosen. Next Generation Firewall (NGFW) The concept of having a single gateway device (NGFW) with a multitude of security controls is called Unified Threat Management (UTM). Features can include Intrusion Detection System (IDS) – Can detect malicious behavior in traffic based on known patterns or signatures Intrusion Prevention System (IPS) – Like an IDS but has the capability to reset connections or block IPs that are performing suspicious or malicious activities according to known patterns or signatures. Inline Antivirus – Inspects files traversing the firewall for virus signatures, detects and/or blocks malware before it can be downloaded Next Generation Firewall (NGFW) Features (continued) Data Loss Prevention (DLP): Prevents sensitive data breaches by detecting and blocking certain data structures (like credit card numbers) from being exfiltrated. Web proxy and web content filtering: Can allow/block the use of web sites based on predetermined web site categorization. Example: block adult web sites or sites known to contain hacking tools. Email filtering: Provides an email gateway to be placed before the actual SMTP server to provide additional filtering of email. Can reduce SPAM, malicious attachments, or DoS attacks via SMTP. Next Generation Firewall (NGFW) Web Application Firewall (WAF) Put in place to protect web applications WAFs inspect HTTP traffic going to and from web applications to detect and prevent attacks specific to web applications such as: Buffer overflows Cross Site Scripting (XSS) SQL injection (SQLi) Can be considered a reverse proxy Web Application Firewall (WAF) Zero Trust Security Model Classically firewall security was focused on network perimeters such as the perimeter between an organization and the internet, or the perimeter between the user networks and the datacenter This is called a perimeter-centric approach Monitors traffic flowing from NorthSouth Analogous with the approach: trust, but verify A perimeter-centric approach does not always protect the network against attacks originating from within the network Zero Trust Security Model The Zero Trust Security Model removes the assumption of trust, and inspects all possible traffic Components that make the zero trust model possible are user and application identification, as well as content scanning to move the trust boundary as close to the resources as possible Monitors traffic flowing from NorthSouth and EastWest Analogous with the approach: never trust, always verify Protects internal resources from lateral attacks Summary Firewall best practices Principle of least privilege Trust but verify Change management Rule cleanup Logging Alerting Patches and updates Secure remote management Summary Types of firewalls Static packet filtering Stateful Packet Inspection Next Generation Firewall (NGFW) Web Application Firewall (WAF) Zero Trust Security Model Lab 1 Independently complete Lab 1 Download, configure, and power on lab VMs Labs are cumulative. In order to do the next lab, previous labs must be completed. VMware LAN segments will be used in this and subsequent labs. A VMware LAN segment is a private network shared by other virtual machines. We will use various LAN segments to simulate different network situations without affecting the Fanshawe network Lab 1 Introduction to Firewalls End of Lesson 1 SRTY-3010 Security – Supporting the Edge

Introduction to Firewalls PDF

Document Details

Tags

Related

Summary

Full Transcript