Chapter 7 - 03 - Understand Different Types of Firewalls and their Role_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Module Flow

Discuss Essential Network Understand Different Types of
0© 0 0
Security Protocols Proxy Servers and their Benefits

Discuss Fundamentals of VPN
Discuss Security Benefits
and its importance in Network
of Network Segmentation
Security

Understand Different Types Discuss Other Network Security
of Firewalls and their Role Controls

Understand Different Types Discuss Importance of Load
of IDS/IPS and their Role Balancing in Network Security

Understand Different Types Understand Various
of Honeypots Antivirus/Anti-malware Software

Copyright© by E L All Rights Reserved. Reproduction
is Strictly Prohibited

Understand Different Types of Firewalls and their Role
This section describes firewall and different types of firewall technologies available. This
includes packet filtering, stateful multilayer inspection, circuit-level gateway, application-level
gateway, application proxy, network address translation (NAT), virtual private network (VPN),
and next generation firewall (NGFW).

Module 07 Page 757 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

What is a Firewall?
L3 °

Q Firewall is a software or -
hardware, or a s‘“‘""l '""". ’ ‘ Internet \
combination of both, e
which is generally used
to separate a protected Beereiteryedtineacd Trafic s stopped because it
network from an S——
unprotected public Allowed Tratfic Outto Intemet
Salnad’ 20202022 | See——— P NP >

Firewall
Q It monitors and filters the
incoming and outgoing R
traffic of the network s et.
and prevents A "’A“":‘:"s“::" ——
unauthorized access to DR B R Allowed Traffic
private networks
Firewall

What is a Firewall?

A firewall is a software or hardware, or a combination of both, which is generally used to
separate a protected network from an unprotected public network. A firewall is a secure,
reliable, and trusted device placed in between private and public networks. It helps in
protecting a private network from the users of a different network. It monitors and filters the
incoming and outgoing traffic of the network and prevents unauthorized access to private
networks. It has a set of rules for tracing the incoming and outgoing network traffic and is also
responsible for allowing or denying traffic to pass through. These criteria are the rules and
restrictions configured on the firewall and they may vary from one type of firewall to another.
Generally, a firewall filters traffic based on the type of traffic, source or destination addresses,
protocols, and ports.

Module 07 Page 758 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Secure Private
Internet
Network

Restricted Traffic
Traffic is stopped because it
does not meet specific criteria

Allowed Traffic Out to Internet

Firewall

Unknown
Only traffic from internet @ < Traffic
meeting specified criteriaare
allowed to pass through

Accessto Specific @ » Specified
Resources Allowed Traffic
STITTIEEITIF
TP

Firewall

Figure 7.42: Working of a firewall

Typical use of firewalls:
* To protect the private network applications and services on the internal network from
the unauthorized traffic and the public network.
= To restrict the access of the hosts on the private network and the services of the public
network.

= To support a network address translation, which helps in using private IP addresses and
to share a single internet connection.

Module 07 Page 759 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
 oo rEEEeRRMbLy
tecnnician
Network Security Contro
ls — Technical Controls
Exam 212-82

Types of Firewalls:
Hardware Firewalls
T WL eli i

A hardware firewall is
either a dedicated
0 1 stand-alone hardware
device or it comes
as part of a router

0 2 The network traffic is
filtered using the..............mmm
ic Publ
Packet filtering techni b
que @
Hardware Firewall
Usually Part of a
0 3 Itis used to filter out the TCP/IP Router
network traffic
for large busine.
ss networks....... Secure Private Net
work
Private Local Area Network }
[ ------- Public Network
J

Copyright
© by EC IL All Rights Reserved Repro
ductions Strictly Prohibited

Types of Firewalls:
Software
Firewalls
Q Asoftware firewall is
a software Program
computer, just like nor installed on a
mal software
Q itis generally used to filt
er traffic for individual
home users
Q itonly filters traffic for
the computer on which
not for the entire networ it is installed,
k

Computer with
Firewall Software

Computer with
Firewall Software :'
H : é
Public Network
E ; fi ( ------- Secure Private Network I
Computer with ’....... Public Network
Firewall Software /
Flrewall Software
Note: It is recommended
that you configure both
a software and a hardware
firewall for best protecti
on
Copyright© by EC All Rights Reserved Reproducti
onis Strictly Prohibited

Module 07 Page 760
Certified Cybersecurity
Technician Copyright ©
All Rights Reserved. Re by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Types of Firewalls: Host-based and
Network-based Firewalls
Host-based Firewalls Network-based Firewalls

O The host-based firewall is used to O The network-based firewall is used
filter inbound/outbound traffic of an to filter inbound/outbound traffic
individual computer on which it is ! from Internal LAN
installed i
QO Itis a hardware-based firewall
QO Itis a software-based firewall
0O Example: pfSense, Smoothwall, Cisco
QO This firewall software comes as part of SonicWall, Netgear, ProSafe, D-Link,
0S i etc.

0O Example: Windows Firewall, Iptables,
UFW etc.

Note: It is recommended to configure both a host and network-based firewall for best protection

Types of Firewalls: External and Internal Firewalls. N
Internal Firewalls. External Firewalls 7 Internal firewalls are used to protect one
network segment from other in the
internal network
External firewalls are used to
limit the access between the » Internal firewalls are placed in a situation
protected and public networks where different types of access is required
for specific services or information, and
> Itis placed to provide access for security
control and protection for the » Internal firewalls sit between two network
DMZ systems segments of the same organization or
between two organizations that share the
same network

Note: It is recommended to configure both an external and internal firewall whenever required

Types of Firewalls
There are two types of firewalls.
= Hardware Firewalls
A hardware firewall is a dedicated firewall device placed on the perimeter of the
network. It is an integral part of the network setup and is also built into broadband
routers or used as a standalone product. A hardware firewall helps to protect systems

Module 07 Page 761 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

on the local network and performs effectively with little or no configuration. It employs
the technique of packet filtering. It reads the header of a packet to find out the source
and destination addresses and compares them with a set of predefined and/or user-
created rules that determine whether it should forward or drop the packet. A hardware
firewall functions on an individual system or a particular network connected using a
single interface. Examples of hardware firewalls include Cisco ASA and FortiGate.
Hardware firewalls protect the private local area network.
However, hardware firewalls are expensive as well as difficult to implement and
upgrade.
Advantages:
o Security: A hardware firewall with its operating system (OS) is considered to reduce
security risks and increase the level of security controls.
o Speed: Hardware firewalls initiate faster responses and enable more traffic.
o Minimal Interference: Since a hardware firewall is a separate network component, it
enables better management and allows the firewall to shut down, move, or be
reconfigured without much interference in the network.
Disadvantages:
o More expensive than a software firewall.
o Difficult to implement and configure.
o Consumes more space and involves cabling.

(NN ° *. (NN * °. (NN °

P bl.
I...III.I‘: :

-. e O
m S Network
;n-----n-. SEsEsEEEEREES -------.-.---...
— — ---. ==

: Hardware Firewall. Usually Partof a
: TCP/IP Router

E' «ssssss Secure Private Network
Private Local Area Network s=====* Public Network

Figure 7.43: Hardware Firewall

= Software Firewalls
A software firewall is similar to a filter. It sits between a regular application and the
networking components of the OS. It is more useful for individual home users and it is
suitable for mobile users who need digital security when working outside the corporate

Module 07 Page 762 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

network. Further, it is easy to install on an individual’s PC, notebook, or workgroup
server. It helps protect your system from outside attempts at unauthorized access and
provides protection against everyday Trojans and email worms. It includes privacy
controls, web filtering, and more. A software firewall implants itself in the critical area of
the application/network path. It analyzes the data flow against the rule set.
The configuration of a software firewall is simple compared to that of a hardware
firewall. A software firewall intercepts all requests from a network to the computer to
determine if they are valid and protects the computer from attacks and unauthorized
access. It incorporates user-defined controls, privacy controls, web filtering, content
filtering, etc., to restrict unsafe applications from running on an individual system.
Software firewalls use more resources than hardware firewalls, which reduces the speed
of the system. Examples of software firewalls include those produced by Norton,
McAfee, and Kaspersky.

Advantages:

o Less expensive than hardware firewalls.
o Ideal for personal or home use.
o Easier to configure and reconfigure.
Disadvantages:
o Consumes system resources.

o Difficult to uninstall.
o Not appropriate for environments requiring faster response times.

Computer with

o
Firewall Software
D

(=]
o
{llllll.llllll

Computer with
Firewall Software

L3
)

=4
0

Computer with
Firewall Software Public Network

)
-

«ssssss SecurePrivate Network

Computer with ==sssss Public Network
Computer with
Firewall Software
Firewall Software
Figure 7.44: Software Firewall

Note: It is recommended that you configure both a software and a hardware firewall for
best protection.

Module 07 Page 763 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

= Host-based Firewalls

A host-based firewall is a software-based firewall that can filter inbound/outbound
traffic of an individual computer on which it is installed and checks for any malicious
activity throughout the network. It comes as part of the system’s OS. For example,
Microsoft Firewall that is part of Windows system, Iptables, Uncomplicated Firewall
(UFW), etc. The different levels of traffic analysis of these firewalls include packet
analysis at the network and transport layers of the OSI model. These firewalls check the
MAC address, IP address, packet source, and destination port before allowing a packet
to pass. Then, a stateful filter validates the packets. In the end, the packet is validated at
the application layer.
Advantages

o Provides security for devices irrespective of change in location
o Provides internal security and avoids internal attacks by allowing only authorized
users
o Setup requires basic hardware/software installation
o Useful for individuals and small businesses with fewer devices as they provide
customized protection
o Provide flexibility by allowing applications and virtual machines (VMs) to take their
host-based firewalls along with them when they are moved between cloud
environments

o Allows configuring a single device for an individual’s requirements using custom
firewall rules
Disadvantages
o Not suitable for larger networks
o Provide less security because if an attacker can access a host, they can turn off the
firewall or install malicious code undetected by the organization
o Must be replaced if bandwidth exceeds firewall throughput or, otherwise, more
effort are needed to scale up every device if the number of hosts increase
o Costly, as they require individual installation and maintenance on every server for
big organizations

o Dedicated IT staff is needed for maintaining each device
= Network-based Firewalls
A network-based firewall is a hardware-based firewall that can be used to filter
inbound/outbound traffic on internal LAN. For example, pfSense, Smoothwall, CISCO
SonicWall, Netgear, ProSafe, D-Link, etc. Such a firewall functions on the network level
and filters data that traverses through the network, forming a network perimeter as the

Module 07 Page 764 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

first line of defense. It functions by routing traffic to proxy servers, which manage data
transmission in the network.
Advantages

o Network-based firewalls do not require individual installation and maintenance on
every server.
o As any malicious traffic would exist at the network barrier, they can provide greater
security than what host-based firewalls can provide a host.
o They allow scalability when a client’s bandwidth demands increase.
o They offer high availability (uptime) and their security can be extended beyond a
single service provider network.
o They require a limited workforce that may be needed to manage one or two sets of
network firewalls.
o They are appropriate for SMEs or organizations with large networks.
Disadvantages

o They do not consider applications and vulnerabilities on a system/VM.
o They do not provide protection for host-to-host communication in the same VLAN.

o Their setup requires highly skilled resources.
o Their cost is lower in the case of big organizations.
o Incorrect maintenance of network firewalls that function as proxy servers may
decrease network performance.
Note: It is recommended to configure both a host and network-based firewall for best
protection

In the real environment, a combination of host-based and network-based firewalls
provides greater security. For example, if an attacker were able to breach the network-
level security, it would still be difficult to breach each host-based firewall. This
combination is suitable for big organizations with complex networks, which have higher
threat levels to their sensitive data and need to meet the strong compliance standards.
= External Firewalls

External firewalls are used to limit access between the protected network and the public
network. They validate the inbound and outbound traffic of the internal network and
translate addresses between the internal and public IP addresses. These firewalls are
placed to provide access control and protection for the DMZ systems in which new
connections are disallowed from the external to the internal network.
They provide security for legacy devices that do not have firewalls. They also provide
security to systems that have issues preventing them from having protection
capabilities. The implementation of external firewalls is done by placing the external

Module 07 Page 765 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

firewall between the legacy device and the LAN. Even if the legacy device is
compromised, the external firewall device can detect the malicious device and prevent
it from spreading the attack to the remaining devices in the network and also prevent it
from contacting applications on the Internet. Examples include Floodgate Defender by
Icon Labs, Firebox M440 by WatchGuard (switch-oriented firewall), etc.

Advantages

o Operate independent of legacy devices
o Can be updated independently of legacy devices
o Ability to control systems with more open connections such as a web browser
o Allow quick installation and are easy to configure
o Useful for replacing the connection of a legacy device to a switch with a connection
to the firewall device by combining the external firewall with a switch (this is
applicable if an organization’s legacy devices cannot be updated for security and
replacing the system may not be feasible)
= |Internal Firewalls

Internal firewalls/internal network segmentation firewalls are used to protect one
network segment from others in the internal network and ensure the application of
stateful inspection and policies for the traffic that traverses through the internal
network. These firewalls allow restricting the malicious activity in one segment of the
network from spreading to other internal network segments.
These are placed in a situation where different types of access are required for specific
services or information. Internal firewalls sit between two network segments of the
same organization or between two organizations that share the same network. Instead
of using switches, internal firewalls allow segmenting the network as well as monitoring
its traffic by implementing stateful policies.
Advantages
o They isolate and secure critical servers and systems from internal users and external
users accessing public servers while restricting the to access the network and will be
under monitoring always.
o They block communication between two hosts and isolate the segment where
malicious activity is identified
o They provide visibility into the internal network
o They allow segmentation and monitoring of even large L2 networks (but the internal
firewalls need to be placed between two stacks of L2 aggregation switches)
o Traffic handling capacity is higher compared to placing the firewalls at the edge of
the network

o They restrict remote users to a few network segments

Module 07 Page 766 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

o They allow containment and monitoring of VPN traffic
Disadvantages
o Internal firewalls need the creation of additional subnets
o Problematic for systems that move among different networks
o Expensive devices
Note: It is recommended to configure both an external and internal firewall whenever
required.

Module 07 Page 767 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Firewall Technologies
Firewalls are designed and developed with the help of different firewall services

Each firewall service provides security depending on their efficiency and sophistication

Packet Circuit-Level Application
Filtering Gateway Proxy VPN

Next Generation
Firewall (NGFW)

Stateful Multilayer Application-Level Network Address
Inspection Gateway Translation

Copyright © by EC All Rights Reserved. Reproductionis Strictly Prohibited.

Firewall technologies operating at each OSI layer

Firewall Technology
i

Virtual Private Network (VPN)
Application
Application Proxies
BN

Presentation Virtual Private Network (VPN)
Virtual Private Network (VPN)
BE

Circuit-Level Gateways
Virtual Private Network (VPN)
\

Transport
Packet Filtering
\

Virtual Private Network (VPN)
EESEE

Network Address Translation (NAT)
Packet Filtering
Stateful Multilayer Inspection

Virtual Private Network (VPN)
S N\

Packet Filtering

Physical Not Applicable V

Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited

Firewall Technologies
Firewalls are designed and developed with the help of different firewall services. Each firewall
service provides security depending on its efficiency and sophistication. There are different
types of firewall technologies depending on where the communication is taking place, where
the traffic is intercepted in the network, the state that is traced, and so on. Considering the
capabilities of different firewalls, it is easy to choose and place an appropriate firewall to meet
the security requirements in the best possible way. Each type of firewall has its advantages.

Module 07 Page 768 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Several firewall technologies are available for organizations to implement their security
measures. Sometimes, firewall technologies are combined with other technologies to build
another firewall technology. For example, NAT is a routing technology; however, when it is
combined with a firewall, it is considered a firewall technology.
The various firewall technologies are listed below:
= Packet Filtering
= (Circuit-Level Gateways
= Application-Level Gateways
= Stateful Multilayer Inspection Firewall
= Application Proxy
= Network Address Translation (NAT)

= Virtual Private Network (VPN)

= Next Generation Firewall (NGFW)
The table below summarizes technologies operating at each OSI layer:

OSI Layer Firewall Technology
o = Virtual Private Network (VPN)
Application e.
= Application Proxies
Presentation = Virtual Private Network (VPN). = Virtual Private Network (VPN)
Session -
= (Circuit-Level Gateways
= Virtual Private Network (VPN)
Transport e
= Packet Filtering
= Virtual Private Network (VPN)
* Network Address Translation (NAT)
Network e
= Packet Filtering
= Stateful Multilayer Inspection
= Virtual Private Network (VPN
Data Link - ( )
= Packet Filtering
Physical = Not Applicable
Table 7.3: Firewall Technologies

The security levels of these technologies vary according to their efficiency levels. A comparison
of these technologies can be made by allowing them to pass through the OSI layer between the
hosts. The data passes through the intermediate layers from a higher layer to a lower layer.
Each layer adds additional information to the data packets. The lower layer now sends the
obtained information through the physical network to the upper layers and then to its
destination.

Module 07 Page 769 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Packet Filtering Firewall
’
].. Application ' Traffic is filtered based on
I Packet filtering firewalls work at the P specified rules, including source
L
network level of the OSI model (or the | and destination IP address,
IP layer of TCP/IP) m packet type, and port number
'J Unknown traffic is only allowed
up to level 2 of the network stack
I i 1
Internet Protocol (IP) %V
X Disallowed
They are usually part of a router. Most i 7 Allowed
routers support packet filtering 5 Network Interface............................ >
Incoming Traffic Allowed Outgoing Traffic
I In a packet filtering firewall, each packet
is compared to a set of criteria before it
is forwarded

Copyright © by | L All Rights Reserved. Reproduction
is Strictly Prohibited

Packet Filtering Firewall
Packet filtering is the most basic feature of all modern firewalls. Packet filtering firewalls work
at the network level of the OSI model (or the IP layer of TCP/IP). They are usually part of a
router. Most routers support packet filtering. In a packet filtering firewall, each packet is
compared to a set of criteria before it is forwarded. Depending on the packet and the criteria,
the firewall can:
= Drop the packet
= Forward it or send a message to the originator
They evaluate each packet based on the packet header information, including source IP
address, destination IP address, source port, destination port, protocol, etc. If the packet
header information does not match the ruleset, the firewall drops the packet; or else, it is
forwarded. Rules can include source and destination IP address, source and destination port
number, or the protocol used. When a data packet passes through the network, a packet filter
checks the packet header and compares it with the connection bypass table that keeps a log of
the connections passing through the network. The advantage of packet filtering firewalls is
their low cost and low impact on network performance.
Traffic is filtered based on specified rules including source and destination IP address, packet
type, and port number. Unknown traffic is only allowed up to level 2 of the network stack.

Module 07 Page 770 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Application

TCP

l. y ‘

Internet Protocol (IP) X+
A

Network Interface :

Incoming Traffic Allowed Outgoing Traffic

Figure 7.45: Packet filtering firewall

There are three methods available for configuring packet filters after determining the set of
filtering rules:
* Rule 1: This rule states that it accepts only those packets that are safe, thereby dropping
the rest.
= Rule 2: This rule states that the filter drops only those packets that are confirmed
unsafe.
* Rule 3: This rule states that, if there are no specific instructions provided for any
particular packet, then the user is given the chance to decide on what to do with the
packet.

A network packet can pass through the network by entering the previously established
connection. If a new packet enters the network, the firewall verifies the packets and checks if
the new packet follows/meets the rules. It then forwards the packet to the network and enters
the new data packet entry of the connection in the bypass table. A packet filtering firewall is
not expensive and neither does it affect network performance. Basic packet-filtering firewalls
are stateless and do not maintain any information on active sessions. Every packet entering the
firewall is inspected independently without maintaining any record of previously processed
packets. Most routers support packet filtering. Packet filtering is a relatively low-level security
measure that can be bypassed by techniques such as packet spoofing, where the attacker crafts
or replaces packet headers that are then unfiltered by the firewall.
As can be judged from the name, packet filter-based firewalls concentrate on individual packets
and analyze their header information as well as the directed path. Traditional packet filtering
firewalls make their decisions based on the following information:
= Source IP address: This allows the firewall to check if the packet is coming from a valid
source or not. IP header stores the information about the source of the packet and the
address refers to the source system IP address.

Module 07 Page 771 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

= Destination IP address: This allows the firewall to check if the packet is heading toward
the correct destination; the IP header of the packet stores the destination address of the
packet.

= Source TCP/UDP port: This allows the firewall to check the source port of the packet.
= Destination TCP/UDP port: This allows the firewall to verify the destination port of a
packet to allow or deny the services.
= TCP code bits: This allows the firewall to check whether the packet has a SYN, ACK, or
other bits set for connecting.
= Protocol in use: Packets carry protocols, and this field checks the protocol used and
decides to allow or deny associated packets.
= Direction: This allows the firewall to check whether the packet is coming from a packet
filter firewall or leaving it.
= |Interface: This allows the firewall to check whether the packet is coming from an
unreliable site.

Module 07 Page 772 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Circuit-Level Gateway

'J Traffic is filtered based on
Circuit level gateways work at the specified session rules, such as
session layer of the OSI model, or the when a session is initiated by a. recognized computer
TCP layer of TCP/IP
'J Unknown traffic is only allowed
up to level 3 of the network
stack

They monitor the TCP handshake X oisallowed. between packets to determine whether '—Nmm
lnterféce!-!1 7/ Allowed
a requested session is legitimate or not §................. SN fi. Incoming Traffic Allowed Outgoing Traffic
Information passed to a remote..
computer through a circuit-level gateway -
v s
appears to have originated from the \
gateway r_."

Circuit-Level Gateway
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP.
They monitor the TCP handshake between packets to determine whether a requested session is
legitimate or not. Information passed to a remote computer through a circuit-level gateway
appears to have originated from the gateway.
The circuit-level gateway firewall uses the data present in the headers of data packets to
perform its action. It is not a stand-alone firewall, but it works in coordination with other
firewalls such as packet filter and application proxy to perform its functions. Information passed
to a remote computer through a circuit-level gateway appears to have originated from the
gateway. Thus, circuit-level gateway firewalls have the ability to hide the information of
network they protect. These firewalls are relatively inexpensive.
Traffic is filtered based on specified session rules, such as when a session is initiated by a
recognized computer. Unknown traffic is only allowed up to level 3 of the network stack.

Module 07 Page 773 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Application

Incoming Traffic Allowed Outgoing Traffic

Figure 7.46: Circuit-level gateway

If one system wants to view information on the other system, then it sends a request to the
second system and the circuit-level gateway firewall intercepts this request. The firewall
forwards the packet to the recipient system with a different address. After the first system
receives the reply, the firewall checks if the reply matches with the IP address of the initial
system. If the reply matches, the firewall forwards the packet, otherwise it drops it.
Advantages

* Hides data of the private network
* Does not filter individual packets
* Does not require a separate proxy server for each application
* Easyto implement
Disadvantages
= Cannot scan active contents

= (Can only handle TCP connections

Module 07 Page 774 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Application Level Gateways
Q Application level gateways can filter packets at the application layer of the 0SI model
QO Because they examine packets at the application layer, they can filter application-specific Lo P I~
commands such as http:post and get »
Q In plain terms, an application level gateways can be configured to be a web proxy which
will not allow any FTP, gopher, Telnet, or other traffic through

o Traff.ic is. filtered based. on.specified
g application rules, applications (e.g.
i browser) and/or a protocol (e.g. FTP)
i H or a combination of all of these
'J Unknown traffic is only allowed up
to the top of the network stack

XK Dpisallowed
W’ Allowed.................... >
Incoming Traffic Allowed Outgoing Traffic

Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited.

Application Level Gateways
Application level gateways can filter packets at the application layer of the OSI model. As they
examine packets at the application layer, they can filter application-specific commands such as
http:post and get. In plain terms, an application level gateways can be configured to be a web
proxy which will not allow any FTP, gopher, Telnet, or other traffic through.
An application-level gateway firewall controls input, output, and/or access across an application
or service. It monitors and possibly blocks the input, output, or system service calls that do not
meet the set firewall policy. Before allowing the connection, it evaluates the network packets
for valid data at the application layer of the firewall.
Traffic is filtered based on specified application rules, applications (e.g. browser) and/or a
protocol (e.g. FTP) or a combination of all of these. Unknown traffic is only allowed up to the
top of the network stack.

Module 07 Page 775 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Application

Network Interface

Incoming Traffic Allowed Outgoing Traffic

Figure 7.47: Application level gateway

The client and server communication does not happen directly; it happens only through a proxy
server. This server acts as a gateway for two-sided communications and drops data packets
acting against the firewall’s policy rules.
= Application-level gateways, also called proxies, concentrate on the application layer
rather than just the packets.
* They perform packet filtering at the application layer and make decisions about whether
or not to transmit the packets.

= A proxy-based firewall asks for authentication to pass the packets as it works at the
application layer.
* Incoming or outgoing packets cannot access services for which there is no proxy. In plain
terms, design of an application-level gateway helps it to act as a web proxy and drop
packets such as FTP, gopher, Telnet, or any other traffic that should not be allowed to
pass through.
= As packet filtering is performed at the application level, it is possible to filter application-
specific commands such as GET or POST requests.
= A content caching proxy optimizes performance by caching frequently accessed
information instead of sending new requests for repetitive data transfers to the servers.
An application-level firewall checks for those packets that do not comply with the filtration
rules. The unauthorized packets are dropped, and authorized packets are forwarded to the
application layer of the destination.

Module 07 Page 776 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Stateful Multilayer Inspection Firewall
’ Application
PP X v. /Trafficisfilteredatthreelevels,
A stateful multilayer inspection b :.
P ased on a wide range of specified
e firewall combines the aspects of the ’ Tcp X ‘. application, session, and packet
other three types filtering rules
Unknown traffic is allowed up to
[ P X v |. level 2 of the network stack
L /N L
They filter packets at the network HI- X Disallowed
- layer, determine whether session Network Interface ’ : Allowed
(/| packets are legitimate and evaluate /
7 the contents of packetsatthe i _
application Iaye' Incoming Traffic

They are expensive and require
@ competent personnel to administer
the device

Copyright © by [ L Al Rights Reserved. Reproduction is Strictly Prohibited

Stateful Multilayer Inspection Firewall
Stateful multilayer inspection firewalls combine all the aspects of the three types of firewalls
that were previously discussed. These firewalls address the drawbacks of stateless packet-
filtering firewalls. They track and maintain the details of the sessions established between two
hosts. These firewalls use state tables to maintain session information. They inspect the packets
entering the firewall and check whether the packet belongs to an already established session; if
the packet does not belong to any active session, it applies packet-filtering rules to determine
whether to block or allow the packet. They filter packets at the network layer, determine
whether session packets are legitimate, and evaluate contents of packets at the application
layer. They are expensive and require competent personnel to administer them. The packet
filter firewall overcomes its inability to check the packet headers using stateful packet filtering.
Traffic is filtered at three levels, based on a wide range of specified application, session, and
packet filtering rules. Unknown traffic is allowed up to level 2 of the network stack.

Module 07 Page 777 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

| Application X v ‘

TcP X ‘

Y
IP ‘

’ Network Interface : W....................... >
Incoming Traffic Allowed Outgoing Traffic

Figure 7.48: Stateful Multilayer Inspection Firewall

These firewalls eliminate the lack of transparency in application-level gateways as they allow a
direct connection between the client and the host. These firewalls use algorithms to examine,
filter, and process the application-layer data instead of using proxies. Stateful multilayer
inspection firewalls have many advantages such as high level of security, better performance,
and transparency to end users. They are quite expensive because of their complexity.
= Stateful multilayer firewalls can remember the packets that passed through them earlier
and make decisions about future packets based on this information.
= These firewalls provide the best of both packet filtering and application-based filtering.
= Cisco Adaptive Security Appliances contain stateful firewalls.
* These firewalls track and log slots or translations.
They check for those packets that do not comply with the filtration rules and drop them at the
network layer of the protocol stack. The other packets forwarded to the next layer undergo
another layer of filtration to confirm whether the packets are in the proper session. Packets
that are currently not a part of the session are dropped at the TCP layer. Next, packets are
filtered at the application layer, enabling the user to allow only authorized actions at the
firewall.

Module 07 Page 778 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Application Proxy
_'_‘ Corporate network
Application s.
QO An application-level proxy Internet Firewal oty e @’m‘
works as a proxy server and
filters connections for
*u........ g::-:-............................... =.
( i)......... g
N@ réz

specific services
D lt filterS Connections based ‘.".__"_.._"_,,_-:,_"__,,_,__“_..'§ DNS ; Sessssasssnssasessssesenssans %.. [ETTTTTTTTTTTTP PP PP PP

on the services and External network i Internal network
protocols LU
i HTIPS i
Q For example, an FTP proxy iONNT
will only allow FTP. trafficto o
Filters traffic for
’
pass through, while all specific server
other services and
protocols will be blocked

Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited

Application Proxy
An application-level proxy works as a proxy server and filters connections for specific services. It
filters connections based on the services and protocols. For example, an FTP proxy will only
allow FTP traffic to pass through, while all other services and protocols will be blocked.
It is a type of server that acts as an interface between the user workstation and the Internet. It
correlates with the gateway server and separates the enterprise network from the Internet. It
receives requests from users for services and responds to the original requests only. A proxy
service is an application or program that helps forward user requests (for example, FTP or
Telnet) to the actual services. Proxies are also called application-level gateways as they renew
the connections and act as a gateway to the services. Proxies run on a firewall host that is
either a dual-homed host or some other bastion host for security purposes. Some proxies,
named caching proxies, run for the purpose of network efficiency. They keep copies of the
requested data of the hosts they proxy. Such proxies can provide the data directly when
multiple hosts request the same data. Caching proxies help in reducing load on network
connections whereas proxy servers provide both security and caching.
A proxy service is available between a user on an internal network and a service on an outside
network (Internet) and is transparent. Instead of direct communication between each, they talk
with the proxy and it handles all the communication between user and the Internet service.
Transparency is the key advantage when using proxy services. To the user, a proxy server
presents the illusion that they are dealing directly with the real server whereas the real server
thinks that it is dealing directly with the user.

Module 07 Page 779 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Corporate network
i Applicatio
Firewall Ppi :
Internet Server proxy

™ r= e L]
------- -_-—---llllununno---

e e e.----.

eeennneeeaan.

i P osmTP G
External network : : Internal network
: FTP :
! HTTPS i
i NNTP

Filters traffic for
specific server

Figure 7.49: Application proxy

Advantages
Proxy services can be good at logging because they can understand application
protocols and allow logging in an effective way.
Proxy services reduce the load on network links as they are capable of caching copies of
frequently requested data and allow it to be directly loaded from the system instead of
the network.
Proxy systems perform user-level authentication, as they are involved in the connection.

Proxy systems automatically provide protection for weak or faulty IP implementations
as they sit between the client and the Internet and generate new IP packets for the
client.
Disadvantages
Proxy services lag behind non-proxy services until a suitable proxy software is made
available.
Each service in a proxy may use different servers.
Proxy services may require changes in the client, applications, and procedures.
The complexity of application proxies makes them vulnerable to various attacks such as
DosS.

If the proxy is not configured for SSL/TLS inspection, it cannot filter or examine
encrypted packets.

Module 07 Page 780 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Network Address Translation (NAT)

0010 §0 100100
o0 181110300.
30300100012 : P:d":‘e ol Public 1P
~rayn i IPID: 192.168.168.2 ress Address

O Network address translation separates IP addresses into two sets
i! ’
v
192.168.168.1
v
200.0.0.45
and enables the LAN to use these addresses for internal and : [:] 4
external traffic respecfivelv. “.............. -. PR e~ STTTTIIIICID

: " Switch o
O It also works with a router, the same as packet filtering does; NAT | 1pp: 192.168.168.3 Internet
will also modify the packets the router sends at the same time

O 1t has the ability to change the address of the packet and make it
appear to have arrived from a valid address ‘\‘ D ’

Q 1t limits the number of public IP addresses an organization can use
e IPID: 192.168.168.2

Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited

Network Address Translation (NAT)
Network address translation separates IP addresses into two sets and enables the LAN to use
these addresses for internal and external traffic, respectively. A NAT helps hide an internal
network layout and forces connections to go through a choke point. It works with the help of a
router, helping to send packets and modifying them. When the internal machine sends the
packet to the outside machine, NAT modifies the source address of the particular packet to
make it appear as if it is coming from a valid address. Similarly, when the outside machine
sends the packet to the internal machine NAT modifies the destination address to turn the
visible address into the correct internal address. It limits the number of public IP addresses an
organization can use. It can act as a firewall filtering technique where it allows only those
connections which originate on the inside network and will block the connections which
originate on the outside network. NATs can also modify the source and destination port
numbers. NAT systems use the following schemes for translating between internal and external
addresses:
= One external host address is assigned for each internal address, and the same
translation is always applied. This scheme slows down connections and does not provide
any savings in address space. This type of mapping is also known as 1:1 mapping and can
be either static or dynamic.
= An external host address is dynamically allocated without modifying the port numbers
at the time when the internal host initiates a connection. This scheme restricts the
number of internal hosts that can simultaneously access the Internet to the number of
available external addresses.
= A fixed mapping is created from internal addresses to externally visible addresses, and
port mapping is used such that multiple internal machines use the same external

Module 07 Page 781 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

address. This type of mapping is also known as overloaded NAT or network address port
translation (NAPT).
A pair of an external host address and a port is dynamically allocated each time an
internal host initiates a connection. This scheme has the highest possible efficiency in
the use of external host addresses.
A router’s IP address is used to communicate with external hosts and to forward
incoming packets to a different IP address. That is, the router processes the requests
originating from the Internet for a particular application and forwards them to the
target application server residing inside a DMZ or internal network. This mapping is
known as destination NAT or port forwarding.

E‘., kL Private
dad IP Public IP
IPID: 192.168.168.2 -, Address Address

NV v
P “, 192.168.168.1 200.0.0.45
‘};\\\(‘.............
———
HCICICRC SEEEEEREEE &...........

,.".Switch
o NAT
o Internet
IP1D: 192.168.168.3

&
IP ID: 192.168.168.2

Figure 7.50: Illustration of network address translation

Advantages
NAT help enforce the firewall's control over outbound connections.
It restricts incoming traffic and allows only packets that are part of a current interaction
initiated from the inside.
It helps hide the internal network's configuration and thereby reduces vulnerability of
the network or system from outside attacks.
Disadvantages
The NAT system has to guess how long it should keep a particular translation, which is
impossible to
correctly guess every time.

NAT interferes with encryption and authentication systems that ensure security of the
data.
Dynamic allocation of ports may interfere with packet filtering.

Module 07 Page 782 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Virtual Private Network

A VPN is a private network VPN Router / e VPN Router /
constructed using public networks, Firewall Firewall
such as the Internet

It is used for the secure transmission VPN Tunnel
of sensitive information over an
untrusted network, using
encapsulation and encryption

It establishes a virtual point-to-
point connection through the use of
dedicated connections

The computing device running the
VPN software can only access the VPN Pri VoRS roRwor k PriTusto Retwor k

Copyright © by | L All Rights Reserved. Reproduction
is Strictly Prohibited.

Virtual Private Network

A VPN is a private network constructed using public networks, such as the Internet. It is used
for the secure transmission of sensitive information over an untrusted network, using
encapsulation and encryption. It establishes a virtual point-to-point connection through the use
of dedicated connections. The computing device running the VPN software can only access the
VPN.
It is used for connecting Wide Area Networks (WAN). VPN allows computers of one network to
connect to computers on another network. It employs encryption and integrity protection to
enable utilization of a public network as a private network. A VPN performs encryption and
decryption outside the packet-filtering perimeter to allow the inspection of packets coming
from other sites; it encapsulates packets sent over the Internet. A VPN combines the
advantages of both public and private networks. They have no relation to firewall technology,
but firewalls are convenient tools for adding VPN features as they help in providing secure
remote services. Any VPN that runs over the Internet employs the following principles:
= Encrypts all traffic
= Checks for integrity protection
= Encapsulates new packets, which are sent across the Internet to something that reverses
the encapsulation
= Checks for integrity
= Finally, decrypts the traffic

Module 07 Page 783 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Router / VPN Router/. Internet.
Firewall Firewall

7 (7
) ULl VPN Tunnel

Private network
) #
Private network

Figure 7.51: Virtual private network

Advantages

VPNs provide several security advantages, and they are listed below:
= A VPN hides all the traffic that flows through it, ensures encryption, and protects the
data from snooping.
= |t provides remote access for protocols while also defending against outside attacks.
Disadvantages
= As a VPN runs on a public network, the user remains vulnerable to an attack on the
destination network.

Module 07 Page 784 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Q Next generation firewall (NGFW) firewall technology is third-generation
firewall technology that moves beyond port/protocol inspection 1

QO In addition to traditional firewall capabilities, NGFW firewall technology
has the capability to inspect traffic based on packet content

O Typical NGFW capabilities:
Deep packet inspection (DPI)
N

Encrypted traffic inspection
N

QoS/bandwidth management
N

Threat intelligence integration
T

Integrated intrusion prevention system
N

Advanced threat protection
N

Application control
N
AN

Antivirus inspection

Next Generation Firewall (NGFW)
An NGFW is a third-generation network security device that provides firewalling, intrusion
prevention, and application control. In addition to traditional firewall capabilities, NGFW
firewall technology has the capability to inspect traffic based on packet content. It offers
packet filtering and proxy-based decision making within layers 3 and 4. It also expands its
protection at the application layer (layer 7).
Features of NGFW
= Application awareness and control
= User-based authentication
= Malware protection
= Stateful inspection
= Integrated IPS
= |dentity awareness (user and group control)
= Bridged and routed modes
= Ability to utilize external intelligence sources
Typical NGFW capabilities
= Deep packet inspection (DPI)
= Encrypted traffic inspection
= QoS/bandwidth management

Module 07 Page 785 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Threat intelligence integration
Integrated intrusion prevention system
Advanced threat protection
Application control
Antivirus inspection

Advantages
Application-level security: It provides application security functions such as IDS and IPS
for improved packet-content filtering.
Single console access: It can be accessed from a single console whereas traditional
firewalls require manual setup and configuration.
Multilayered protection: It provides multilayered protection by inspecting traffic from
layers 2-7.
Simplified infrastructure: It acts as the single authorized device for managing and
updating security protocol.
Optimal use of network speed: In traditional firewalls, the network speed decreases
with increase in security protocol and devices, whereas with NGFW the potential
throughput is consistently achieved irrespective of increase in the number of security
protocols and devices.

Antivirus, ransomware and spam protection, and endpoint security: NGFWs come as
complete packages with antivirus, ransomware and spam protection, and endpoint
security. Hence, there is no need for separate tools to monitor and control cyber
threats.

Capability to implement role-based access: NGFW detects user identity, which helps
the organization set role-based access to their data and content. It can also work with
different user roles and limit the scope of access for a user/group.

Module 07 Page 786 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Firewall Capabilities

— Prevent network scanning

— Performs user authentication

~Filters packets, services, and protocols

Firewall Capabilities
Be aware of a firewall’s capabilities before planning for implementation. By knowing the
capabilities of different types of firewalls, you will be able to decide what type to implement or
whether a different security control or solution better suits your needs.