Chapter 7 - 03 - Understand Different Types of Firewalls and their Role_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
2020
EC-Council
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network Understand Different Types of 0© 0 0 Security Protocols Proxy Servers and their Benefits Discuss Fundamentals of VPN Discuss Security Benefits and its importance in Network of Network Segmentation Security Understand Different Types Discuss Other Network Security of Firewalls and their Role Controls Understand Different Types Discuss Importance of Load of IDS/IPS and their Role Balancing in Network Security Understand Different Types Understand Various of Honeypots Antivirus/Anti-malware Software Copyright© by E L All Rights Reserved. Reproduction is Strictly Prohibited Understand Different Types of Firewalls and their Role This section describes firewall and different types of firewall technologies available. This includes packet filtering, stateful multilayer inspection, circuit-level gateway, application-level gateway, application proxy, network address translation (NAT), virtual private network (VPN), and next generation firewall (NGFW). Module 07 Page 757 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls What is a Firewall? L3 ° Q Firewall is a software or - hardware, or a s‘“‘""l '""". ’ ‘ Internet \ combination of both, e which is generally used to separate a protected Beereiteryedtineacd Trafic s stopped because it network from an S—— unprotected public Allowed Tratfic Outto Intemet Salnad’ 20202022 | See——— P NP > Firewall Q It monitors and filters the incoming and outgoing R traffic of the network s et. and prevents A "’A“":‘:"s“::" —— unauthorized access to DR B R Allowed Traffic private networks Firewall What is a Firewall? A firewall is a software or hardware, or a combination of both, which is generally used to separate a protected network from an unprotected public network. A firewall is a secure, reliable, and trusted device placed in between private and public networks. It helps in protecting a private network from the users of a different network. It monitors and filters the incoming and outgoing traffic of the network and prevents unauthorized access to private networks. It has a set of rules for tracing the incoming and outgoing network traffic and is also responsible for allowing or denying traffic to pass through. These criteria are the rules and restrictions configured on the firewall and they may vary from one type of firewall to another. Generally, a firewall filters traffic based on the type of traffic, source or destination addresses, protocols, and ports. Module 07 Page 758 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Secure Private Internet Network Restricted Traffic Traffic is stopped because it does not meet specific criteria Allowed Traffic Out to Internet Firewall Unknown Only traffic from internet @ < Traffic meeting specified criteriaare allowed to pass through Accessto Specific @ » Specified Resources Allowed Traffic STITTIEEITIF TP Firewall Figure 7.42: Working of a firewall Typical use of firewalls: * To protect the private network applications and services on the internal network from the unauthorized traffic and the public network. = To restrict the access of the hosts on the private network and the services of the public network. = To support a network address translation, which helps in using private IP addresses and to share a single internet connection. Module 07 Page 759 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. oo rEEEeRRMbLy tecnnician Network Security Contro ls — Technical Controls Exam 212-82 Types of Firewalls: Hardware Firewalls T WL eli i A hardware firewall is either a dedicated 0 1 stand-alone hardware device or it comes as part of a router 0 2 The network traffic is filtered using the..............mmm ic Publ Packet filtering techni b que @ Hardware Firewall Usually Part of a 0 3 Itis used to filter out the TCP/IP Router network traffic for large busine. ss networks....... Secure Private Net work Private Local Area Network } [ ------- Public Network J Copyright © by EC IL All Rights Reserved Repro ductions Strictly Prohibited Types of Firewalls: Software Firewalls Q Asoftware firewall is a software Program computer, just like nor installed on a mal software Q itis generally used to filt er traffic for individual home users Q itonly filters traffic for the computer on which not for the entire networ it is installed, k Computer with Firewall Software Computer with Firewall Software :' H : é Public Network E ; fi ( ------- Secure Private Network I Computer with ’....... Public Network Firewall Software / Flrewall Software Note: It is recommended that you configure both a software and a hardware firewall for best protecti on Copyright© by EC All Rights Reserved Reproducti onis Strictly Prohibited Module 07 Page 760 Certified Cybersecurity Technician Copyright © All Rights Reserved. Re by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Types of Firewalls: Host-based and Network-based Firewalls Host-based Firewalls Network-based Firewalls O The host-based firewall is used to O The network-based firewall is used filter inbound/outbound traffic of an to filter inbound/outbound traffic individual computer on which it is ! from Internal LAN installed i QO Itis a hardware-based firewall QO Itis a software-based firewall 0O Example: pfSense, Smoothwall, Cisco QO This firewall software comes as part of SonicWall, Netgear, ProSafe, D-Link, 0S i etc. 0O Example: Windows Firewall, Iptables, UFW etc. Note: It is recommended to configure both a host and network-based firewall for best protection Types of Firewalls: External and Internal Firewalls. N Internal Firewalls. External Firewalls 7 Internal firewalls are used to protect one network segment from other in the internal network External firewalls are used to limit the access between the » Internal firewalls are placed in a situation protected and public networks where different types of access is required for specific services or information, and > Itis placed to provide access for security control and protection for the » Internal firewalls sit between two network DMZ systems segments of the same organization or between two organizations that share the same network Note: It is recommended to configure both an external and internal firewall whenever required Types of Firewalls There are two types of firewalls. = Hardware Firewalls A hardware firewall is a dedicated firewall device placed on the perimeter of the network. It is an integral part of the network setup and is also built into broadband routers or used as a standalone product. A hardware firewall helps to protect systems Module 07 Page 761 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls on the local network and performs effectively with little or no configuration. It employs the technique of packet filtering. It reads the header of a packet to find out the source and destination addresses and compares them with a set of predefined and/or user- created rules that determine whether it should forward or drop the packet. A hardware firewall functions on an individual system or a particular network connected using a single interface. Examples of hardware firewalls include Cisco ASA and FortiGate. Hardware firewalls protect the private local area network. However, hardware firewalls are expensive as well as difficult to implement and upgrade. Advantages: o Security: A hardware firewall with its operating system (OS) is considered to reduce security risks and increase the level of security controls. o Speed: Hardware firewalls initiate faster responses and enable more traffic. o Minimal Interference: Since a hardware firewall is a separate network component, it enables better management and allows the firewall to shut down, move, or be reconfigured without much interference in the network. Disadvantages: o More expensive than a software firewall. o Difficult to implement and configure. o Consumes more space and involves cabling. (NN ° *. (NN * °. (NN ° P bl. I...III.I‘: : -. e O m S Network ;n-----n-. SEsEsEEEEREES -------.-.---... — — ---. == : Hardware Firewall. Usually Partof a : TCP/IP Router E' «ssssss Secure Private Network Private Local Area Network s=====* Public Network Figure 7.43: Hardware Firewall = Software Firewalls A software firewall is similar to a filter. It sits between a regular application and the networking components of the OS. It is more useful for individual home users and it is suitable for mobile users who need digital security when working outside the corporate Module 07 Page 762 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls network. Further, it is easy to install on an individual’s PC, notebook, or workgroup server. It helps protect your system from outside attempts at unauthorized access and provides protection against everyday Trojans and email worms. It includes privacy controls, web filtering, and more. A software firewall implants itself in the critical area of the application/network path. It analyzes the data flow against the rule set. The configuration of a software firewall is simple compared to that of a hardware firewall. A software firewall intercepts all requests from a network to the computer to determine if they are valid and protects the computer from attacks and unauthorized access. It incorporates user-defined controls, privacy controls, web filtering, content filtering, etc., to restrict unsafe applications from running on an individual system. Software firewalls use more resources than hardware firewalls, which reduces the speed of the system. Examples of software firewalls include those produced by Norton, McAfee, and Kaspersky. Advantages: o Less expensive than hardware firewalls. o Ideal for personal or home use. o Easier to configure and reconfigure. Disadvantages: o Consumes system resources. o Difficult to uninstall. o Not appropriate for environments requiring faster response times. Computer with o Firewall Software D (=] o {llllll.llllll Computer with Firewall Software L3 ) =4 0 Computer with Firewall Software Public Network ) - «ssssss SecurePrivate Network Computer with ==sssss Public Network Computer with Firewall Software Firewall Software Figure 7.44: Software Firewall Note: It is recommended that you configure both a software and a hardware firewall for best protection. Module 07 Page 763 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls = Host-based Firewalls A host-based firewall is a software-based firewall that can filter inbound/outbound traffic of an individual computer on which it is installed and checks for any malicious activity throughout the network. It comes as part of the system’s OS. For example, Microsoft Firewall that is part of Windows system, Iptables, Uncomplicated Firewall (UFW), etc. The different levels of traffic analysis of these firewalls include packet analysis at the network and transport layers of the OSI model. These firewalls check the MAC address, IP address, packet source, and destination port before allowing a packet to pass. Then, a stateful filter validates the packets. In the end, the packet is validated at the application layer. Advantages o Provides security for devices irrespective of change in location o Provides internal security and avoids internal attacks by allowing only authorized users o Setup requires basic hardware/software installation o Useful for individuals and small businesses with fewer devices as they provide customized protection o Provide flexibility by allowing applications and virtual machines (VMs) to take their host-based firewalls along with them when they are moved between cloud environments o Allows configuring a single device for an individual’s requirements using custom firewall rules Disadvantages o Not suitable for larger networks o Provide less security because if an attacker can access a host, they can turn off the firewall or install malicious code undetected by the organization o Must be replaced if bandwidth exceeds firewall throughput or, otherwise, more effort are needed to scale up every device if the number of hosts increase o Costly, as they require individual installation and maintenance on every server for big organizations o Dedicated IT staff is needed for maintaining each device = Network-based Firewalls A network-based firewall is a hardware-based firewall that can be used to filter inbound/outbound traffic on internal LAN. For example, pfSense, Smoothwall, CISCO SonicWall, Netgear, ProSafe, D-Link, etc. Such a firewall functions on the network level and filters data that traverses through the network, forming a network perimeter as the Module 07 Page 764 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls first line of defense. It functions by routing traffic to proxy servers, which manage data transmission in the network. Advantages o Network-based firewalls do not require individual installation and maintenance on every server. o As any malicious traffic would exist at the network barrier, they can provide greater security than what host-based firewalls can provide a host. o They allow scalability when a client’s bandwidth demands increase. o They offer high availability (uptime) and their security can be extended beyond a single service provider network. o They require a limited workforce that may be needed to manage one or two sets of network firewalls. o They are appropriate for SMEs or organizations with large networks. Disadvantages o They do not consider applications and vulnerabilities on a system/VM. o They do not provide protection for host-to-host communication in the same VLAN. o Their setup requires highly skilled resources. o Their cost is lower in the case of big organizations. o Incorrect maintenance of network firewalls that function as proxy servers may decrease network performance. Note: It is recommended to configure both a host and network-based firewall for best protection In the real environment, a combination of host-based and network-based firewalls provides greater security. For example, if an attacker were able to breach the network- level security, it would still be difficult to breach each host-based firewall. This combination is suitable for big organizations with complex networks, which have higher threat levels to their sensitive data and need to meet the strong compliance standards. = External Firewalls External firewalls are used to limit access between the protected network and the public network. They validate the inbound and outbound traffic of the internal network and translate addresses between the internal and public IP addresses. These firewalls are placed to provide access control and protection for the DMZ systems in which new connections are disallowed from the external to the internal network. They provide security for legacy devices that do not have firewalls. They also provide security to systems that have issues preventing them from having protection capabilities. The implementation of external firewalls is done by placing the external Module 07 Page 765 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls firewall between the legacy device and the LAN. Even if the legacy device is compromised, the external firewall device can detect the malicious device and prevent it from spreading the attack to the remaining devices in the network and also prevent it from contacting applications on the Internet. Examples include Floodgate Defender by Icon Labs, Firebox M440 by WatchGuard (switch-oriented firewall), etc. Advantages o Operate independent of legacy devices o Can be updated independently of legacy devices o Ability to control systems with more open connections such as a web browser o Allow quick installation and are easy to configure o Useful for replacing the connection of a legacy device to a switch with a connection to the firewall device by combining the external firewall with a switch (this is applicable if an organization’s legacy devices cannot be updated for security and replacing the system may not be feasible) = |Internal Firewalls Internal firewalls/internal network segmentation firewalls are used to protect one network segment from others in the internal network and ensure the application of stateful inspection and policies for the traffic that traverses through the internal network. These firewalls allow restricting the malicious activity in one segment of the network from spreading to other internal network segments. These are placed in a situation where different types of access are required for specific services or information. Internal firewalls sit between two network segments of the same organization or between two organizations that share the same network. Instead of using switches, internal firewalls allow segmenting the network as well as monitoring its traffic by implementing stateful policies. Advantages o They isolate and secure critical servers and systems from internal users and external users accessing public servers while restricting the to access the network and will be under monitoring always. o They block communication between two hosts and isolate the segment where malicious activity is identified o They provide visibility into the internal network o They allow segmentation and monitoring of even large L2 networks (but the internal firewalls need to be placed between two stacks of L2 aggregation switches) o Traffic handling capacity is higher compared to placing the firewalls at the edge of the network o They restrict remote users to a few network segments Module 07 Page 766 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls o They allow containment and monitoring of VPN traffic Disadvantages o Internal firewalls need the creation of additional subnets o Problematic for systems that move among different networks o Expensive devices Note: It is recommended to configure both an external and internal firewall whenever required. Module 07 Page 767 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Firewall Technologies Firewalls are designed and developed with the help of different firewall services Each firewall service provides security depending on their efficiency and sophistication Packet Circuit-Level Application Filtering Gateway Proxy VPN Next Generation Firewall (NGFW) Stateful Multilayer Application-Level Network Address Inspection Gateway Translation Copyright © by EC All Rights Reserved. Reproductionis Strictly Prohibited. Firewall technologies operating at each OSI layer Firewall Technology i Virtual Private Network (VPN) Application Application Proxies BN Presentation Virtual Private Network (VPN) Virtual Private Network (VPN) BE Circuit-Level Gateways Virtual Private Network (VPN) \ Transport Packet Filtering \ Virtual Private Network (VPN) EESEE Network Address Translation (NAT) Packet Filtering Stateful Multilayer Inspection Virtual Private Network (VPN) S N\ Packet Filtering Physical Not Applicable V Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Firewall Technologies Firewalls are designed and developed with the help of different firewall services. Each firewall service provides security depending on its efficiency and sophistication. There are different types of firewall technologies depending on where the communication is taking place, where the traffic is intercepted in the network, the state that is traced, and so on. Considering the capabilities of different firewalls, it is easy to choose and place an appropriate firewall to meet the security requirements in the best possible way. Each type of firewall has its advantages. Module 07 Page 768 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Several firewall technologies are available for organizations to implement their security measures. Sometimes, firewall technologies are combined with other technologies to build another firewall technology. For example, NAT is a routing technology; however, when it is combined with a firewall, it is considered a firewall technology. The various firewall technologies are listed below: = Packet Filtering = (Circuit-Level Gateways = Application-Level Gateways = Stateful Multilayer Inspection Firewall = Application Proxy = Network Address Translation (NAT) = Virtual Private Network (VPN) = Next Generation Firewall (NGFW) The table below summarizes technologies operating at each OSI layer: OSI Layer Firewall Technology o = Virtual Private Network (VPN) Application e. = Application Proxies Presentation = Virtual Private Network (VPN). = Virtual Private Network (VPN) Session - = (Circuit-Level Gateways = Virtual Private Network (VPN) Transport e = Packet Filtering = Virtual Private Network (VPN) * Network Address Translation (NAT) Network e = Packet Filtering = Stateful Multilayer Inspection = Virtual Private Network (VPN Data Link - ( ) = Packet Filtering Physical = Not Applicable Table 7.3: Firewall Technologies The security levels of these technologies vary according to their efficiency levels. A comparison of these technologies can be made by allowing them to pass through the OSI layer between the hosts. The data passes through the intermediate layers from a higher layer to a lower layer. Each layer adds additional information to the data packets. The lower layer now sends the obtained information through the physical network to the upper layers and then to its destination. Module 07 Page 769 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Packet Filtering Firewall ’ ].. Application ' Traffic is filtered based on I Packet filtering firewalls work at the P specified rules, including source L network level of the OSI model (or the | and destination IP address, IP layer of TCP/IP) m packet type, and port number 'J Unknown traffic is only allowed up to level 2 of the network stack I i 1 Internet Protocol (IP) %V X Disallowed They are usually part of a router. Most i 7 Allowed routers support packet filtering 5 Network Interface............................ > Incoming Traffic Allowed Outgoing Traffic I In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded Copyright © by | L All Rights Reserved. Reproduction is Strictly Prohibited Packet Filtering Firewall Packet filtering is the most basic feature of all modern firewalls. Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP). They are usually part of a router. Most routers support packet filtering. In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can: = Drop the packet = Forward it or send a message to the originator They evaluate each packet based on the packet header information, including source IP address, destination IP address, source port, destination port, protocol, etc. If the packet header information does not match the ruleset, the firewall drops the packet; or else, it is forwarded. Rules can include source and destination IP address, source and destination port number, or the protocol used. When a data packet passes through the network, a packet filter checks the packet header and compares it with the connection bypass table that keeps a log of the connections passing through the network. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Traffic is filtered based on specified rules including source and destination IP address, packet type, and port number. Unknown traffic is only allowed up to level 2 of the network stack. Module 07 Page 770 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Application TCP l. y ‘ Internet Protocol (IP) X+ A Network Interface : Incoming Traffic Allowed Outgoing Traffic Figure 7.45: Packet filtering firewall There are three methods available for configuring packet filters after determining the set of filtering rules: * Rule 1: This rule states that it accepts only those packets that are safe, thereby dropping the rest. = Rule 2: This rule states that the filter drops only those packets that are confirmed unsafe. * Rule 3: This rule states that, if there are no specific instructions provided for any particular packet, then the user is given the chance to decide on what to do with the packet. A network packet can pass through the network by entering the previously established connection. If a new packet enters the network, the firewall verifies the packets and checks if the new packet follows/meets the rules. It then forwards the packet to the network and enters the new data packet entry of the connection in the bypass table. A packet filtering firewall is not expensive and neither does it affect network performance. Basic packet-filtering firewalls are stateless and do not maintain any information on active sessions. Every packet entering the firewall is inspected independently without maintaining any record of previously processed packets. Most routers support packet filtering. Packet filtering is a relatively low-level security measure that can be bypassed by techniques such as packet spoofing, where the attacker crafts or replaces packet headers that are then unfiltered by the firewall. As can be judged from the name, packet filter-based firewalls concentrate on individual packets and analyze their header information as well as the directed path. Traditional packet filtering firewalls make their decisions based on the following information: = Source IP address: This allows the firewall to check if the packet is coming from a valid source or not. IP header stores the information about the source of the packet and the address refers to the source system IP address. Module 07 Page 771 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls = Destination IP address: This allows the firewall to check if the packet is heading toward the correct destination; the IP header of the packet stores the destination address of the packet. = Source TCP/UDP port: This allows the firewall to check the source port of the packet. = Destination TCP/UDP port: This allows the firewall to verify the destination port of a packet to allow or deny the services. = TCP code bits: This allows the firewall to check whether the packet has a SYN, ACK, or other bits set for connecting. = Protocol in use: Packets carry protocols, and this field checks the protocol used and decides to allow or deny associated packets. = Direction: This allows the firewall to check whether the packet is coming from a packet filter firewall or leaving it. = |Interface: This allows the firewall to check whether the packet is coming from an unreliable site. Module 07 Page 772 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Circuit-Level Gateway 'J Traffic is filtered based on Circuit level gateways work at the specified session rules, such as session layer of the OSI model, or the when a session is initiated by a. recognized computer TCP layer of TCP/IP 'J Unknown traffic is only allowed up to level 3 of the network stack They monitor the TCP handshake X oisallowed. between packets to determine whether '—Nmm lnterféce!-!1 7/ Allowed a requested session is legitimate or not §................. SN fi. Incoming Traffic Allowed Outgoing Traffic Information passed to a remote.. computer through a circuit-level gateway - v s appears to have originated from the \ gateway r_." Circuit-Level Gateway Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor the TCP handshake between packets to determine whether a requested session is legitimate or not. Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway. The circuit-level gateway firewall uses the data present in the headers of data packets to perform its action. It is not a stand-alone firewall, but it works in coordination with other firewalls such as packet filter and application proxy to perform its functions. Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway. Thus, circuit-level gateway firewalls have the ability to hide the information of network they protect. These firewalls are relatively inexpensive. Traffic is filtered based on specified session rules, such as when a session is initiated by a recognized computer. Unknown traffic is only allowed up to level 3 of the network stack. Module 07 Page 773 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Application Incoming Traffic Allowed Outgoing Traffic Figure 7.46: Circuit-level gateway If one system wants to view information on the other system, then it sends a request to the second system and the circuit-level gateway firewall intercepts this request. The firewall forwards the packet to the recipient system with a different address. After the first system receives the reply, the firewall checks if the reply matches with the IP address of the initial system. If the reply matches, the firewall forwards the packet, otherwise it drops it. Advantages * Hides data of the private network * Does not filter individual packets * Does not require a separate proxy server for each application * Easyto implement Disadvantages = Cannot scan active contents = (Can only handle TCP connections Module 07 Page 774 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Application Level Gateways Q Application level gateways can filter packets at the application layer of the 0SI model QO Because they examine packets at the application layer, they can filter application-specific Lo P I~ commands such as http:post and get » Q In plain terms, an application level gateways can be configured to be a web proxy which will not allow any FTP, gopher, Telnet, or other traffic through o Traff.ic is. filtered based. on.specified g application rules, applications (e.g. i browser) and/or a protocol (e.g. FTP) i H or a combination of all of these 'J Unknown traffic is only allowed up to the top of the network stack XK Dpisallowed W’ Allowed.................... > Incoming Traffic Allowed Outgoing Traffic Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Application Level Gateways Application level gateways can filter packets at the application layer of the OSI model. As they examine packets at the application layer, they can filter application-specific commands such as http:post and get. In plain terms, an application level gateways can be configured to be a web proxy which will not allow any FTP, gopher, Telnet, or other traffic through. An application-level gateway firewall controls input, output, and/or access across an application or service. It monitors and possibly blocks the input, output, or system service calls that do not meet the set firewall policy. Before allowing the connection, it evaluates the network packets for valid data at the application layer of the firewall. Traffic is filtered based on specified application rules, applications (e.g. browser) and/or a protocol (e.g. FTP) or a combination of all of these. Unknown traffic is only allowed up to the top of the network stack. Module 07 Page 775 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Application Network Interface Incoming Traffic Allowed Outgoing Traffic Figure 7.47: Application level gateway The client and server communication does not happen directly; it happens only through a proxy server. This server acts as a gateway for two-sided communications and drops data packets acting against the firewall’s policy rules. = Application-level gateways, also called proxies, concentrate on the application layer rather than just the packets. * They perform packet filtering at the application layer and make decisions about whether or not to transmit the packets. = A proxy-based firewall asks for authentication to pass the packets as it works at the application layer. * Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, design of an application-level gateway helps it to act as a web proxy and drop packets such as FTP, gopher, Telnet, or any other traffic that should not be allowed to pass through. = As packet filtering is performed at the application level, it is possible to filter application- specific commands such as GET or POST requests. = A content caching proxy optimizes performance by caching frequently accessed information instead of sending new requests for repetitive data transfers to the servers. An application-level firewall checks for those packets that do not comply with the filtration rules. The unauthorized packets are dropped, and authorized packets are forwarded to the application layer of the destination. Module 07 Page 776 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Stateful Multilayer Inspection Firewall ’ Application PP X v. /Trafficisfilteredatthreelevels, A stateful multilayer inspection b :. P ased on a wide range of specified e firewall combines the aspects of the ’ Tcp X ‘. application, session, and packet other three types filtering rules Unknown traffic is allowed up to [ P X v |. level 2 of the network stack L /N L They filter packets at the network HI- X Disallowed - layer, determine whether session Network Interface ’ : Allowed (/| packets are legitimate and evaluate / 7 the contents of packetsatthe i _ application Iaye' Incoming Traffic They are expensive and require @ competent personnel to administer the device Copyright © by [ L Al Rights Reserved. Reproduction is Strictly Prohibited Stateful Multilayer Inspection Firewall Stateful multilayer inspection firewalls combine all the aspects of the three types of firewalls that were previously discussed. These firewalls address the drawbacks of stateless packet- filtering firewalls. They track and maintain the details of the sessions established between two hosts. These firewalls use state tables to maintain session information. They inspect the packets entering the firewall and check whether the packet belongs to an already established session; if the packet does not belong to any active session, it applies packet-filtering rules to determine whether to block or allow the packet. They filter packets at the network layer, determine whether session packets are legitimate, and evaluate contents of packets at the application layer. They are expensive and require competent personnel to administer them. The packet filter firewall overcomes its inability to check the packet headers using stateful packet filtering. Traffic is filtered at three levels, based on a wide range of specified application, session, and packet filtering rules. Unknown traffic is allowed up to level 2 of the network stack. Module 07 Page 777 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls | Application X v ‘ TcP X ‘ Y IP ‘ ’ Network Interface : W....................... > Incoming Traffic Allowed Outgoing Traffic Figure 7.48: Stateful Multilayer Inspection Firewall These firewalls eliminate the lack of transparency in application-level gateways as they allow a direct connection between the client and the host. These firewalls use algorithms to examine, filter, and process the application-layer data instead of using proxies. Stateful multilayer inspection firewalls have many advantages such as high level of security, better performance, and transparency to end users. They are quite expensive because of their complexity. = Stateful multilayer firewalls can remember the packets that passed through them earlier and make decisions about future packets based on this information. = These firewalls provide the best of both packet filtering and application-based filtering. = Cisco Adaptive Security Appliances contain stateful firewalls. * These firewalls track and log slots or translations. They check for those packets that do not comply with the filtration rules and drop them at the network layer of the protocol stack. The other packets forwarded to the next layer undergo another layer of filtration to confirm whether the packets are in the proper session. Packets that are currently not a part of the session are dropped at the TCP layer. Next, packets are filtered at the application layer, enabling the user to allow only authorized actions at the firewall. Module 07 Page 778 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Application Proxy _'_‘ Corporate network Application s. QO An application-level proxy Internet Firewal oty e @’m‘ works as a proxy server and filters connections for *u........ g::-:-............................... =. ( i)......... g N@ réz specific services D lt filterS Connections based ‘.".__"_.._"_,,_-:,_"__,,_,__“_..'§ DNS ; Sessssasssnssasessssesenssans %.. [ETTTTTTTTTTTTP PP PP PP on the services and External network i Internal network protocols LU i HTIPS i Q For example, an FTP proxy iONNT will only allow FTP. trafficto o Filters traffic for ’ pass through, while all specific server other services and protocols will be blocked Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited Application Proxy An application-level proxy works as a proxy server and filters connections for specific services. It filters connections based on the services and protocols. For example, an FTP proxy will only allow FTP traffic to pass through, while all other services and protocols will be blocked. It is a type of server that acts as an interface between the user workstation and the Internet. It correlates with the gateway server and separates the enterprise network from the Internet. It receives requests from users for services and responds to the original requests only. A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services. Proxies are also called application-level gateways as they renew the connections and act as a gateway to the services. Proxies run on a firewall host that is either a dual-homed host or some other bastion host for security purposes. Some proxies, named caching proxies, run for the purpose of network efficiency. They keep copies of the requested data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts request the same data. Caching proxies help in reducing load on network connections whereas proxy servers provide both security and caching. A proxy service is available between a user on an internal network and a service on an outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy and it handles all the communication between user and the Internet service. Transparency is the key advantage when using proxy services. To the user, a proxy server presents the illusion that they are dealing directly with the real server whereas the real server thinks that it is dealing directly with the user. Module 07 Page 779 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Corporate network i Applicatio Firewall Ppi : Internet Server proxy ™ r= e L] ------- -_-—---llllununno--- e e e.----. eeennneeeaan. i P osmTP G External network : : Internal network : FTP : ! HTTPS i i NNTP Filters traffic for specific server Figure 7.49: Application proxy Advantages Proxy services can be good at logging because they can understand application protocols and allow logging in an effective way. Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network. Proxy systems perform user-level authentication, as they are involved in the connection. Proxy systems automatically provide protection for weak or faulty IP implementations as they sit between the client and the Internet and generate new IP packets for the client. Disadvantages Proxy services lag behind non-proxy services until a suitable proxy software is made available. Each service in a proxy may use different servers. Proxy services may require changes in the client, applications, and procedures. The complexity of application proxies makes them vulnerable to various attacks such as DosS. If the proxy is not configured for SSL/TLS inspection, it cannot filter or examine encrypted packets. Module 07 Page 780 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Network Address Translation (NAT) 0010 §0 100100 o0 181110300. 30300100012 : P:d":‘e ol Public 1P ~rayn i IPID: 192.168.168.2 ress Address O Network address translation separates IP addresses into two sets i! ’ v 192.168.168.1 v 200.0.0.45 and enables the LAN to use these addresses for internal and : [:] 4 external traffic respecfivelv. “.............. -. PR e~ STTTTIIIICID : " Switch o O It also works with a router, the same as packet filtering does; NAT | 1pp: 192.168.168.3 Internet will also modify the packets the router sends at the same time O 1t has the ability to change the address of the packet and make it appear to have arrived from a valid address ‘\‘ D ’ Q 1t limits the number of public IP addresses an organization can use e IPID: 192.168.168.2 Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited Network Address Translation (NAT) Network address translation separates IP addresses into two sets and enables the LAN to use these addresses for internal and external traffic, respectively. A NAT helps hide an internal network layout and forces connections to go through a choke point. It works with the help of a router, helping to send packets and modifying them. When the internal machine sends the packet to the outside machine, NAT modifies the source address of the particular packet to make it appear as if it is coming from a valid address. Similarly, when the outside machine sends the packet to the internal machine NAT modifies the destination address to turn the visible address into the correct internal address. It limits the number of public IP addresses an organization can use. It can act as a firewall filtering technique where it allows only those connections which originate on the inside network and will block the connections which originate on the outside network. NATs can also modify the source and destination port numbers. NAT systems use the following schemes for translating between internal and external addresses: = One external host address is assigned for each internal address, and the same translation is always applied. This scheme slows down connections and does not provide any savings in address space. This type of mapping is also known as 1:1 mapping and can be either static or dynamic. = An external host address is dynamically allocated without modifying the port numbers at the time when the internal host initiates a connection. This scheme restricts the number of internal hosts that can simultaneously access the Internet to the number of available external addresses. = A fixed mapping is created from internal addresses to externally visible addresses, and port mapping is used such that multiple internal machines use the same external Module 07 Page 781 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls address. This type of mapping is also known as overloaded NAT or network address port translation (NAPT). A pair of an external host address and a port is dynamically allocated each time an internal host initiates a connection. This scheme has the highest possible efficiency in the use of external host addresses. A router’s IP address is used to communicate with external hosts and to forward incoming packets to a different IP address. That is, the router processes the requests originating from the Internet for a particular application and forwards them to the target application server residing inside a DMZ or internal network. This mapping is known as destination NAT or port forwarding. E‘., kL Private dad IP Public IP IPID: 192.168.168.2 -, Address Address NV v P “, 192.168.168.1 200.0.0.45 ‘};\\\(‘............. ——— HCICICRC SEEEEEREEE &........... ,.".Switch o NAT o Internet IP1D: 192.168.168.3 & IP ID: 192.168.168.2 Figure 7.50: Illustration of network address translation Advantages NAT help enforce the firewall's control over outbound connections. It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside. It helps hide the internal network's configuration and thereby reduces vulnerability of the network or system from outside attacks. Disadvantages The NAT system has to guess how long it should keep a particular translation, which is impossible to correctly guess every time. NAT interferes with encryption and authentication systems that ensure security of the data. Dynamic allocation of ports may interfere with packet filtering. Module 07 Page 782 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Virtual Private Network A VPN is a private network VPN Router / e VPN Router / constructed using public networks, Firewall Firewall such as the Internet It is used for the secure transmission VPN Tunnel of sensitive information over an untrusted network, using encapsulation and encryption It establishes a virtual point-to- point connection through the use of dedicated connections The computing device running the VPN software can only access the VPN Pri VoRS roRwor k PriTusto Retwor k Copyright © by | L All Rights Reserved. Reproduction is Strictly Prohibited. Virtual Private Network A VPN is a private network constructed using public networks, such as the Internet. It is used for the secure transmission of sensitive information over an untrusted network, using encapsulation and encryption. It establishes a virtual point-to-point connection through the use of dedicated connections. The computing device running the VPN software can only access the VPN. It is used for connecting Wide Area Networks (WAN). VPN allows computers of one network to connect to computers on another network. It employs encryption and integrity protection to enable utilization of a public network as a private network. A VPN performs encryption and decryption outside the packet-filtering perimeter to allow the inspection of packets coming from other sites; it encapsulates packets sent over the Internet. A VPN combines the advantages of both public and private networks. They have no relation to firewall technology, but firewalls are convenient tools for adding VPN features as they help in providing secure remote services. Any VPN that runs over the Internet employs the following principles: = Encrypts all traffic = Checks for integrity protection = Encapsulates new packets, which are sent across the Internet to something that reverses the encapsulation = Checks for integrity = Finally, decrypts the traffic Module 07 Page 783 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Router / VPN Router/. Internet. Firewall Firewall 7 (7 ) ULl VPN Tunnel Private network ) # Private network Figure 7.51: Virtual private network Advantages VPNs provide several security advantages, and they are listed below: = A VPN hides all the traffic that flows through it, ensures encryption, and protects the data from snooping. = |t provides remote access for protocols while also defending against outside attacks. Disadvantages = As a VPN runs on a public network, the user remains vulnerable to an attack on the destination network. Module 07 Page 784 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Q Next generation firewall (NGFW) firewall technology is third-generation firewall technology that moves beyond port/protocol inspection 1 QO In addition to traditional firewall capabilities, NGFW firewall technology has the capability to inspect traffic based on packet content O Typical NGFW capabilities: Deep packet inspection (DPI) N Encrypted traffic inspection N QoS/bandwidth management N Threat intelligence integration T Integrated intrusion prevention system N Advanced threat protection N Application control N AN Antivirus inspection Next Generation Firewall (NGFW) An NGFW is a third-generation network security device that provides firewalling, intrusion prevention, and application control. In addition to traditional firewall capabilities, NGFW firewall technology has the capability to inspect traffic based on packet content. It offers packet filtering and proxy-based decision making within layers 3 and 4. It also expands its protection at the application layer (layer 7). Features of NGFW = Application awareness and control = User-based authentication = Malware protection = Stateful inspection = Integrated IPS = |dentity awareness (user and group control) = Bridged and routed modes = Ability to utilize external intelligence sources Typical NGFW capabilities = Deep packet inspection (DPI) = Encrypted traffic inspection = QoS/bandwidth management Module 07 Page 785 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Threat intelligence integration Integrated intrusion prevention system Advanced threat protection Application control Antivirus inspection Advantages Application-level security: It provides application security functions such as IDS and IPS for improved packet-content filtering. Single console access: It can be accessed from a single console whereas traditional firewalls require manual setup and configuration. Multilayered protection: It provides multilayered protection by inspecting traffic from layers 2-7. Simplified infrastructure: It acts as the single authorized device for managing and updating security protocol. Optimal use of network speed: In traditional firewalls, the network speed decreases with increase in security protocol and devices, whereas with NGFW the potential throughput is consistently achieved irrespective of increase in the number of security protocols and devices. Antivirus, ransomware and spam protection, and endpoint security: NGFWs come as complete packages with antivirus, ransomware and spam protection, and endpoint security. Hence, there is no need for separate tools to monitor and control cyber threats. Capability to implement role-based access: NGFW detects user identity, which helps the organization set role-based access to their data and content. It can also work with different user roles and limit the scope of access for a user/group. Module 07 Page 786 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Firewall Capabilities — Prevent network scanning — Performs user authentication ~Filters packets, services, and protocols Firewall Capabilities Be aware of a firewall’s capabilities before planning for implementation. By knowing the capabilities of different types of firewalls, you will be able to decide what type to implement or whether a different security control or solution better suits your needs.