Firewalls and the OSI Model

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now like I had said,
00:00
I really think looking at firewalls in the context of
00:00
the OSI model helps us understand
00:00
both firewalls and the OSI model a little bit better.
00:00
Let's go ahead and talk about how
00:00
they can show me the significance of OSI model.
00:00
We're going to look at three types of firewalls,
00:00
stateless, stateful,
00:00
and application firewalls,
00:00
and then we're going to wrap up
00:00
and talk about the best practices.
00:00
We have three types of firewalls.
00:00
One operates at Layer 3,
00:00
one operates at Layer 5,
00:00
and one operates at Layer 7.
00:00
Let's focus on Layer 3,
00:00
first of all, and that's the network layer.
00:00
Here, you'll hear the term packet filtering,
00:00
you'll hear stateless inspection.
00:00
What a Layer 3 firewall usually is,
00:00
is a router with some access
00:00
>> control list written on it.
00:00
>> It's not a separate device.
00:00
This is usually the router that
00:00
connects you out to the Internet,
00:00
and it's usually your first line of defense.
00:00
A screening router is like
00:00
the bouncer outside of the club.
00:00
A screening router's job is to keep what's
00:00
obviously riffraff away from the network.
00:00
Malformed packet, get out of here,
00:00
traffic from the 10 network,
00:00
get out of here, just very quick decision-making
00:00
of what's allowed to the next stage and what isn't.
00:00
Its primary job is to be fast,
00:00
but it doesn't do any type of deep inspection.
00:00
As a matter of fact,
00:00
let's talk about what happens at Layer 3.
00:00
Remember at Layer 3,
00:00
we use IP addresses.
00:00
A Layer 3 firewall can
00:00
make decisions based on IP address,
00:00
source, and destination.
00:00
Traffic to IP address 10.1.1.1, block.
00:00
Traffic from 192.168.1.1, allow.
00:00
That's Layer 3 stuff.
00:00
Now at Layer 4,
00:00
and we really didn't talk about it much,
00:00
but Layer 4,
00:00
port information is added also.
00:00
Usually, devices can look below,
00:00
they can't usually look above in the OSI model.
00:00
But in this case,
00:00
our network layer firewalls actually do peak just a
00:00
little bit into the Layer 4 header for port numbers.
00:00
A stateless firewall could also
00:00
be called a packet filter or screening router.
00:00
A Layer 3 router can make
00:00
decisions on source and destination IP address,
00:00
source and destination port,
00:00
and then whether or not it uses TCP or UDP.
00:00
If I want to plot traffic on Port 80,
00:00
my network layer firewall can do that for me.
00:00
If I want to allow traffic on Port 443, we can do that.
00:00
Now here's the problem.
00:00
We don't get to block misbehaving traffic.
00:00
We can only block all or none.
00:00
For instance, we had talked about
00:00
the handshaking process that's done with TCP.
00:00
We talked about the three-way handshake,
00:00
that SYN, SYN-ACK, ACK.
00:00
One attack that's common or that used
00:00
to be common is something called the SYN flood.
00:00
Basically what happens when a host
00:00
connects you with the TCP SYN packet?
00:00
That basically says, hey,
00:00
I'm going to send you something,
00:00
and your system opens up a little area
00:00
in RAM to process what I'm going to send you.
00:00
If I continue to send you SYN packets,
00:00
you continue to open up space in
00:00
memory to process what I'm sending,
00:00
and if I keep doing that long enough,
00:00
I'll fill up your available memory.
00:00
That shouldn't happen. But a Layer 3 firewall,
00:00
all I could do to defend
00:00
against that would be to block TCP,
00:00
and TCP is required for
00:00
so many services and protocols that if you block TCP,
00:00
you'll bring your network to a halt.
00:00
Well, I don't want to block TCP,
00:00
I want to block misbehaving TCP.
00:00
Well, you can't do it with Layer 3.
00:00
Remember, Layer 3's job is to provide
00:00
very quick filtering of
00:00
packets at a fairly superficial level,
00:00
but again, it really does get rid
00:00
of a lot of traffic that
00:00
doesn't meet the minimum requirements.
00:00
If I want to get more particular,
00:00
I need to go to another firewall.
00:00
The next firewall we're going to go to is
00:00
Layer 5, the session layer.
00:00
Layer 5 firewalls do stateful filtering,
00:00
meaning, at this level,
00:00
they're aware of the state of the connection.
00:00
Here's what I mean. I want
00:00
to block what we refer to as unsolicited replies.
00:00
For instance,
00:00
when I send a DNS query out to the Internet,
00:00
I expect a response. I want a reply.
00:00
But if I don't send a DNS query,
00:00
I don't want replies to come
00:00
through from out on the Internet.
00:00
There's no reason that host down the Internet or
00:00
answering replies to questions I've never asked.
00:00
Those unsolicited replies can
00:00
be ways that my cache gets polluted,
00:00
my records get messed up,
00:00
so I don't want unsolicited replies.
00:00
Remember, if I use the Layer 3 firewall,
00:00
all I could do would be block DNS.
00:00
But I don't want to block DNS.
00:00
I want DNS to come through,
00:00
but I don't want unsolicited replies.
00:00
With a Layer 5 firewall,
00:00
session layer firewall, it
00:00
keeps track of who initiated the session,
00:00
and because the session
00:00
initiated with me sending out a query,
00:00
that firewall will allow the corresponding response.
00:00
That's a big step above Layer 3.
00:00
Also, Layer 5 protocols understand lower layers.
00:00
I was worried about that misbehaving TCP communication.
00:00
We couldn't block it at Layer 3,
00:00
but we can't Layer 5.
00:00
Layer 5 can understand everything below it,
00:00
so we can also block traffic on
00:00
IP address and port number and so on.
00:00
It can also block based on protocols
00:00
that are not behaving according to their RFC,
00:00
essentially misbehaving protocols,
00:00
protocols that are not behaving according to the rules.
00:00
We gain a lot of improvement just by
00:00
going up the OSI model to Layer 5,
00:00
and again, session layer is Layer 5,
00:00
we're looking at session layer stuff.
00:00
But where I really get the
00:00
>> intelligence is up at Layer 7.
00:00
>> Layer 7 has my application layer proxies and firewalls.
00:00
Now I'll tell you, you'll
00:00
hear proxies, application proxies,
00:00
firewalls, they're ultimately really the same thing.
00:00
We're talking about devices
00:00
that have a deep understanding of
00:00
specific application layer protocols and can make
00:00
in-depth decisions on how
00:00
those protocols work in on the contents.
00:00
For instance, yeah, I can block
00:00
traffic based on IP address, Layer 3.
00:00
I can make sure that protocols are
00:00
behaving according to their requirements at Layer 5.
00:00
But at Layer 7,
00:00
that's where I can allow or deny traffic based on time,
00:00
based on Active Directory group membership.
00:00
I can block downloads from
00:00
servers that don't have certificates
00:00
or certificate signed by trusted authorities.
00:00
I really get very strong capabilities up at Layer 7.
00:00
I can block traffic that has malformed HTTP headers.
00:00
Lower layer firewalls don't
00:00
understand the HTTP protocol,
00:00
but a Layer 7,
00:00
Web Application Firewall absolutely understands.
00:00
We can block things that are
00:00
>> likely to lead to cross-site
00:00
>> scripting or other malicious attacks, code injection.
00:00
We get the real intelligence up at Layer 7.
00:00
Now when I'm talking about firewalls,
00:00
or specifically really proxies,
00:00
in firewalls as well,
00:00
but there are two things that we want to consider.
00:00
I want to control what people
00:00
inside my network can do outside,
00:00
and I want to control what people
00:00
outside the network can do inside.
00:00
We have forward proxies and reverse proxies.
00:00
If I'm trying to prevent or limit what people
00:00
outside my network can do coming inside,
00:00
so a malicious user out on the Internet sending a
00:00
denial-of-service into my land, that's reverse proxy.
00:00
If I want to control what
00:00
internal users can do out on the Internet,
00:00
or at least monitor it, that's forward proxy.
00:00
Layer 7 firewalls can do a forward proxy,
00:00
can do a reverse proxy.
00:00
They have a wide range
00:00
of criteria they can make their decisions on,
00:00
and this is what really
00:00
>> gives me the greatest capability,
00:00
>> but it's at the cost of speed.
00:00
Lower down the OSI model,
00:00
I get fewer decisions,
00:00
but I get speed.
00:00
When I go up the OSI model,
00:00
I tend to lose speed but gain intelligence.
00:00
Also, a lot of
00:00
devices at the upper layer can be very costly as well.
00:00
That's not always, but that's just a rule of thumb.
00:00
We talked about firewalls in
00:00
the OSI model and that helped us
00:00
put firewalls and the OSI
00:00
>> model a little bit of context.
00:00
>> Firewalls filter based on rules.
00:00
Firewalls operating at Layer 3, 5, and 7.
00:00
Layer 3 firewalls have
00:00
access to what's in a Layer 3 header,
00:00
Layer 5 firewalls have access to
00:00
that session information that's in the Layer 5 header,
00:00
and Layer 7 firewalls have access directly to the data,
00:00
which is why we can filter based on content.
Up Next