N10-007 Given a scenario, install and configure a basic firewall

Firewalls

They are used to protect the private network from unauthorized users on public network. Firewalls can be software or hardware based. Firewall i.e. hardware based has two network cards one that connects to the public network and other that connects to the private network. The packets that are coming from the outside/inside of the network are examined and in case there is a suspicious packet it is dropped.

Types of firewalls:

There are two types of firewalls such as:

• Network based firewall
• Host based firewall

Network based firewall

They firewall that uses a dedicated hardware to run is called as network based firewall. They are basically hardware based.

Host based firewall

The firewall that resides on computer is called as windows based firewall or host based firewalls. They are basically software based.

Software vs hardware

Firewalls are an integral part of network design in today’s times. It is a network device and can be software or hardware based. It is responsible for controlling access to the network. This helps to keep a check on the outside threats and as a result the data and the resources are better protected. IT is best to place firewalls on the points
of entry and exit of the network. Firewalls can also be used to control access between two specific points on the same network.

– Software Firewalls: These are implemented using NOS (Network Operating Systems) such as Linux and Windows servers. Once configured it allows only certain type of traffic to move in. For smaller set ups, a firewall is installed on the local system.
– Hardware Firewalls: Hardware firewalls are dedicated devices that can be easily configured to offer protection from the outside sources. It is used in combination with other devices. They are used in both small as well as large networks.

Application aware/context aware

The new generation of firewalls, such as SonicWall Inc.’s E-Class and McAfee Inc.’s Firewall Enterprise, are far more context-aware, enabling network administrators to fine-tune network traffic rules. The key features include:

• Real-time visualization: Create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Monitor how rule changes affect productivity and security and really understand how your network is being used.
• Greater levels of granular control: Apply rules to specific applications rather than trying to rely on generic port or protocols. Ensure critical applications such as Microsoft SharePoint and Salesforce.com get the bandwidth required and review the impact of rule changes via live graphs.
• Easy implementation of complex rules: Avoid draconian “block all” rules and use more flexible ones, such as “Facebook but no Farmville,” and “Facebook can only use less than 10% of connections and bandwidth during business hours.” Also restrict access to certain applications to specific groups or users.
• Automatic signature updates: Block dynamically changing applications such as P2P, designed to evade firewall rules, with automatic updates of application signatures regardless of the port or protocol being used.
• Control data transfers: Warn users with messages whenever they try to transfer specific files and documents that conflict with policy.

The introduction of real-time visualization makes implementing and regulating such specific rules much easier. Visualization of network traffic makes it easier to create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Rules can be applied to specific applications rather than trying to rely on generic port or protocols and the business impact of rule changes can be reported back via live graphs.

These next-generation capabilities of enterprise application-aware firewalls work alongside the standard gateway antivirus, antispyware and intrusion prevention features of standard firewalls or UTM appliances. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. Even though these firewalls run on multi-core processors, it’s important to ensure they will be able to handle your current and future network traffic loads.

For high-volume networks, it still pays to install firewalls that specialize in different layers. Network firewalls can filter large amounts of traffic, catching the port scanning, denial-of-service and other low-level network attacks, leaving the application-aware firewalls to control acceptable use of today’s complex Web applications. This way, the right balance between performance and in-depth analysis can be achieved from an organization’s firewall infrastructure.

Stateful vs stateless inspection

When talking about firewalls, two terms often come up: stateful and stateless. These two terms differentiate how firewalls operate. A stateless firewall, sometimes called a packet-filtering firewall, monitors specific data packets and restricts or allows access to the network based on certain criteria. Stateless firewalls look at each data packet in isolation and therefore are unaware if that particular data packet is part of a larger data stream. Essentially, stateless firewalls do not see the big picture or “state” of data flow, only the individual packets. Today, stateful firewalls are more likely to be used. Stateful firewalls monitor data traffic streams from one end to the other. A stateful firewall refuses unsolicited incoming traffic that does not comply with dynamic or preconfigured firewall exception rules. A stateful firewall tracks the state of network connections, watching data traffic, including monitoring source and
destination addresses and TCP and UDP port numbers.

UTM

In the broadest sense of the term, any freestanding device that operates in a largely self- contained manner is considered to be an appliance. An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering, etc.), what used to be called an all-in-one appliance is now known as a UTM. The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and—typically—reduced complexity. The disadvantages of combining everything into one include a potential single point of failure, and the dependence on the one vendor.

Settings/techniques

They are used for proud filtering ACL decides which network resources would be allocated to the user. ACL is a sequential list of instruction that tells the router which packets to be discarded or allowed. ACL’s are read sequentially. As soon as the packet matches an ACL’s statement it would be permitted or denied based on the statements written in the ACL. There are three kinds of ACL models

1) Mandatory
2) Discretionary
3) Role based

Mandatory Model: In this model every resource is assigned a label which defines what its security level is. If the user accessing the network does not have the required security level he/she will be denied access. It is the oldest security model.

Discretionary Model: in this model the user that owns the resource mainly decides which resource he would grant access to the user. It is basically based on resource owner’s discretion that which resource he would grant access to.

Role based access control: this is the most popular model used in file sharing. RBAC provides access to the user based on his role in the network. Users with similar access levels are placed in same groups. Suppose there is a group called students, which would only be provided access to the files folder in the University network.

IP filtering: in case of ACL using IP as a filter, the packets that are denied or permit are the IP packets. This kind of ACL works on network layer 3. Mac filtering: in case of a LAN if we want to deny or permit systems we need to implement Mac-based ACL’s. Mac filtering permits or denies access to the network based on Mac address of the system. In order to implement Mac filtering we require Mac addresses of the host.

Virtual wire vs routed

This is exactly the same technique used by intrusion detection system, but instead of IPS this is applied to Palo Alto firewall. This technique is also known as bump wire where a pair of physical interfaces is paired as a single “wire”, to the switch and router that is connected virtual wire firewall there is no existence of any firewall to the router and switch point of view only a single “wire” is connected between them.

Figure 69 – A pair of interfaces is paired together to form one single “wire”, one interface is trusted and the other untrusted

Other brands firewall I have used have routed and transparent mode, virtual wire firewall is similar to transparent mode. Palo Alto Networks firewall when in virtual wire mode can transport vlan tags like a trunk link, there is a “default-wire” which also pairs a pair of ethernet interfaces but is transporting untagged vlan traffic.

DMZ

It is a network of shared servers and host that provide resources to the inside and outside of the network. The firewall configuration provides free access from the outside to the DMZ and access from the DMZ to the inside is limited to number of sessions originating inside.

Implicit deny

An implicit deny means that if the proviso in question has not been explicitly granted, then it is denied. If you explicitly say that you will allow traffic in from ports 21, 80, and 443, then all those not mentioned are implicitly denied access. The entity (traffic/data in this case) is denied access based on its not appearing on the list of entities accepted. Although an implicit deny can apply to firewall configuration, the same principle can apply to an access control list (ACL), MAC address, or any similar configuration option.

Block/allow

Because you can make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed:

• Authenticated bypass. These are rules in which the Override block rules option is selected. These rules allow matching network traffic that would otherwise be blocked. The network traffic must be authenticated by using a separate connection security rule. You can use these rules to permit access to the computer to authorized network administrators and authorized network troubleshooting devices.
• Block connection. These rules block all matching inbound network traffic.
• Allow connection. These rules allow matching inbound network traffic. Because the default behavior is to block unsolicited inbound network traffic, you must create an allow rule to support any network program or service that must be able to accept inbound connections.
• Default profile behavior. The default behavior is to block unsolicited inbound network traffic, but to allow all outbound network traffic. You can change the default behavior on the Domain Profile, Private Profile, and Public Profile tabs of the Windows Firewall with Advanced Security Properties dialog box.

As soon as a network packet matches a rule, that rule is applied, and processing stops. For example, an arriving network packet is first compared to the authenticated bypass rules. If it matches one, that rule is applied and processing stops. The packet is not compared to the block, allow, or default profile rules. If the packet does not match an authenticated bypass rule, then it is compared to the block rules. If it matches one, the packet is blocked, and processing stops, and so on.

Inbound Rule

Inbound rules explicitly allow, or explicitly block, inbound network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if IPsec does not secure it. When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on TCP port 80.

You can also configure the default action that Windows Firewall with Advanced Security takes, whether connections are allowed or blocked, when no inbound rule applies.

Outbound Rule

Outbound rules explicitly allow, or explicitly block, network traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers. Because outbound traffic is allowed by default, you typically use outbound rules to block network traffic that you do not want.

You can also configure the default action that Windows Firewall with Advanced Security takes, whether outbound connections are allowed or blocked, when no outbound rule applies.