Firewall Concepts and Threat Intelligence - Chat Summary PDF

Chat with Document Download

Document Details

UsableStatueOfLiberty5543

Uploaded by UsableStatueOfLiberty5543

Tags

firewall cybersecurity network security

Related

Summary

This document provides a summary of firewall concepts and threat intelligence. It covers network firewalls, host-based firewalls, and application firewalls. It also discusses blacklists, threat actor IOCs, and various sources of threat intelligence including FireHOL, Spamhaus, and Cisco Talos

Full Transcript

Firewall Concepts and Threat Intelligence - Chat Summary Network Firewall A network firewall controls incoming and outgoing traffic between networks. It operates mainly at Layers 3 and 4 of the OSI model, using IP addresses, ports, and protocols to enforce security policies. Types: - Packet Fil...

Firewall Concepts and Threat Intelligence - Chat Summary Network Firewall A network firewall controls incoming and outgoing traffic between networks. It operates mainly at Layers 3 and 4 of the OSI model, using IP addresses, ports, and protocols to enforce security policies. Types: - Packet Filtering Firewall: Inspects IP headers, applies basic rules. - Stateful Inspection Firewall: Tracks connection states and allows return traffic. - Next-Generation Firewall (NGFW): Adds DPI, app control, and threat intelligence. - Proxy Firewall: Forwards requests and hides internal addresses. Use Cases: - Protects enterprise networks from external threats. - Can be hardware or virtual appliances. Host-Based Firewall Installed on individual devices, a host-based firewall controls traffic specific to that host. It protects against threats that originate from the local machine or the internal network. Key Features: - Fine-grained control for individual applications/services. - Often used in laptops, servers, personal computers. - Examples: Windows Defender Firewall, iptables on Linux. Page 1 Firewall Concepts and Threat Intelligence - Chat Summary Pros: - Tailored control per host. - Can block local malware or misbehaving apps. Cons: - Hard to manage at scale without central tools. Application Firewall An application firewall operates at Layer 7 of the OSI model, filtering traffic based on application-level protocols like HTTP, DNS, FTP. Types: - Web Application Firewall (WAF): Protects web apps from XSS, SQLi, etc. - General Application Firewall: Controls desktop/mobile app behavior. Functions: - Deep Packet Inspection (DPI) - Detects payload-level threats and misuse Examples: Cloudflare WAF, ModSecurity, AWS WAF. Anatomy of a Firewall Components: Page 2 Firewall Concepts and Threat Intelligence - Chat Summary 1. Rule Base: Defines what traffic is allowed/blocked. 2. Packet Filtering Engine: Inspects IP headers, port numbers. 3. State Table: Tracks active sessions in stateful firewalls. 4. NAT Module: Translates private to public IP addresses. 5. DPI Engine: Deep Packet Inspection for payload analysis. 6. Logging and Alerts: Records traffic data and anomalies. 7. Management Interface: Admin dashboard or CLI. 8. Optional Modules: IPS, antivirus, VPN support. Diagram (Text): +---------------------------------------------------+ | FIREWALL SYSTEM | +---------------------------------------------------+ | Management Interface (GUI/CLI) | |---------------------------------------------------| | Rule Base / Policy Engine | |---------------------------------------------------| | Packet Filter | Stateful Inspection | NAT Engine | |---------------------------------------------------| | Deep Packet Inspection / Application Control | |---------------------------------------------------| | Logging / Alerts / Monitoring | +---------------------------------------------------+ Blacklist Types Page 3 Firewall Concepts and Threat Intelligence - Chat Summary Blacklists define what is explicitly denied. Common types include: 1. IP Blacklist: Blocks known malicious IPs. 2. Domain Blacklist: Blocks malicious or unwanted domains. 3. Email Blacklist: Blocks spammers or phishing domains. 4. URL Blacklist: Blocks specific URLs, not just domains. 5. Application Blacklist: Blocks disallowed apps (e.g. torrent clients). 6. File Hash Blacklist: Blocks malware via file hashes (MD5/SHA256). 7. Geo-location Blacklist: Blocks entire regions or countries. Blacklist vs Whitelist: - Blacklist: Default allow, block known bad. - Whitelist: Default deny, allow known good. Automated Threat Intelligence Blacklists These blacklists update dynamically using real-time data. Types: 1. Malicious IP Blacklists: From honeypots, sensors. 2. Spam & Phishing: From email threat feeds. 3. Malicious Domain/URL: DNS and web filtering feeds. 4. Malware Hashes: From sandboxed malware analysis. 5. App Behavior: From EDR/XDR platforms. Page 4 Firewall Concepts and Threat Intelligence - Chat Summary 6. Threat Actor IOCs: From CERTs and government alerts. Sources: - FireHOL, Spamhaus, AlienVault OTX, MISP, Cisco Talos Used in: - Next-Gen Firewalls (NGFWs) - SIEM/EDR/XDR systems - Threat Intelligence Platforms (TIPs) Page 5