Firewalls and the OSI Model
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Advanced
Video Transcription
00:00
>> Now like I had said,
00:00
I really think looking at firewalls in the context of
00:00
the OSI model helps us understand
00:00
both firewalls and the OSI model a little bit better.
00:00
Let's go ahead and talk about how
00:00
they can show me the significance of OSI model.
00:00
We're going to look at three types of firewalls,
00:00
stateless, stateful,
00:00
and application firewalls,
00:00
and then we're going to wrap up
00:00
and talk about the best practices.
00:00
We have three types of firewalls.
00:00
One operates at Layer 3,
00:00
one operates at Layer 5,
00:00
and one operates at Layer 7.
00:00
Let's focus on Layer 3,
00:00
first of all, and that's the network layer.
00:00
Here, you'll hear the term packet filtering,
00:00
you'll hear stateless inspection.
00:00
What a Layer 3 firewall usually is,
00:00
is a router with some access
00:00
>> control list written on it.
00:00
>> It's not a separate device.
00:00
This is usually the router that
00:00
connects you out to the Internet,
00:00
and it's usually your first line of defense.
00:00
A screening router is like
00:00
the bouncer outside of the club.
00:00
A screening router's job is to keep what's
00:00
obviously riffraff away from the network.
00:00
Malformed packet, get out of here,
00:00
traffic from the 10 network,
00:00
get out of here, just very quick decision-making
00:00
of what's allowed to the next stage and what isn't.
00:00
Its primary job is to be fast,
00:00
but it doesn't do any type of deep inspection.
00:00
As a matter of fact,
00:00
let's talk about what happens at Layer 3.
00:00
Remember at Layer 3,
00:00
we use IP addresses.
00:00
A Layer 3 firewall can
00:00
make decisions based on IP address,
00:00
source, and destination.
00:00
Traffic to IP address 10.1.1.1, block.
00:00
Traffic from 192.168.1.1, allow.
00:00
That's Layer 3 stuff.
00:00
Now at Layer 4,
00:00
and we really didn't talk about it much,
00:00
but Layer 4,
00:00
port information is added also.
00:00
Usually, devices can look below,
00:00
they can't usually look above in the OSI model.
00:00
But in this case,
00:00
our network layer firewalls actually do peak just a
00:00
little bit into the Layer 4 header for port numbers.
00:00
A stateless firewall could also
00:00
be called a packet filter or screening router.
00:00
A Layer 3 router can make
00:00
decisions on source and destination IP address,
00:00
source and destination port,
00:00
and then whether or not it uses TCP or UDP.
00:00
If I want to plot traffic on Port 80,
00:00
my network layer firewall can do that for me.
00:00
If I want to allow traffic on Port 443, we can do that.
00:00
Now here's the problem.
00:00
We don't get to block misbehaving traffic.
00:00
We can only block all or none.
00:00
For instance, we had talked about
00:00
the handshaking process that's done with TCP.
00:00
We talked about the three-way handshake,
00:00
that SYN, SYN-ACK, ACK.
00:00
One attack that's common or that used
00:00
to be common is something called the SYN flood.
00:00
Basically what happens when a host
00:00
connects you with the TCP SYN packet?
00:00
That basically says, hey,
00:00
I'm going to send you something,
00:00
and your system opens up a little area
00:00
in RAM to process what I'm going to send you.
00:00
If I continue to send you SYN packets,
00:00
you continue to open up space in
00:00
memory to process what I'm sending,
00:00
and if I keep doing that long enough,
00:00
I'll fill up your available memory.
00:00
That shouldn't happen. But a Layer 3 firewall,
00:00
all I could do to defend
00:00
against that would be to block TCP,
00:00
and TCP is required for
00:00
so many services and protocols that if you block TCP,
00:00
you'll bring your network to a halt.
00:00
Well, I don't want to block TCP,
00:00
I want to block misbehaving TCP.
00:00
Well, you can't do it with Layer 3.
00:00
Remember, Layer 3's job is to provide
00:00
very quick filtering of
00:00
packets at a fairly superficial level,
00:00
but again, it really does get rid
00:00
of a lot of traffic that
00:00
doesn't meet the minimum requirements.
00:00
If I want to get more particular,
00:00
I need to go to another firewall.
00:00
The next firewall we're going to go to is
00:00
Layer 5, the session layer.
00:00
Layer 5 firewalls do stateful filtering,
00:00
meaning, at this level,
00:00
they're aware of the state of the connection.
00:00
Here's what I mean. I want
00:00
to block what we refer to as unsolicited replies.
00:00
For instance,
00:00
when I send a DNS query out to the Internet,
00:00
I expect a response. I want a reply.
00:00
But if I don't send a DNS query,
00:00
I don't want replies to come
00:00
through from out on the Internet.
00:00
There's no reason that host down the Internet or
00:00
answering replies to questions I've never asked.
00:00
Those unsolicited replies can
00:00
be ways that my cache gets polluted,
00:00
my records get messed up,
00:00
so I don't want unsolicited replies.
00:00
Remember, if I use the Layer 3 firewall,
00:00
all I could do would be block DNS.
00:00
But I don't want to block DNS.
00:00
I want DNS to come through,
00:00
but I don't want unsolicited replies.
00:00
With a Layer 5 firewall,
00:00
session layer firewall, it
00:00
keeps track of who initiated the session,
00:00
and because the session
00:00
initiated with me sending out a query,
00:00
that firewall will allow the corresponding response.
00:00
That's a big step above Layer 3.
00:00
Also, Layer 5 protocols understand lower layers.
00:00
I was worried about that misbehaving TCP communication.
00:00
We couldn't block it at Layer 3,
00:00
but we can't Layer 5.
00:00
Layer 5 can understand everything below it,
00:00
so we can also block traffic on
00:00
IP address and port number and so on.
00:00
It can also block based on protocols
00:00
that are not behaving according to their RFC,
00:00
essentially misbehaving protocols,
00:00
protocols that are not behaving according to the rules.
00:00
We gain a lot of improvement just by
00:00
going up the OSI model to Layer 5,
00:00
and again, session layer is Layer 5,
00:00
we're looking at session layer stuff.
00:00
But where I really get the
00:00
>> intelligence is up at Layer 7.
00:00
>> Layer 7 has my application layer proxies and firewalls.
00:00
Now I'll tell you, you'll
00:00
hear proxies, application proxies,
00:00
firewalls, they're ultimately really the same thing.
00:00
We're talking about devices
00:00
that have a deep understanding of
00:00
specific application layer protocols and can make
00:00
in-depth decisions on how
00:00
those protocols work in on the contents.
00:00
For instance, yeah, I can block
00:00
traffic based on IP address, Layer 3.
00:00
I can make sure that protocols are
00:00
behaving according to their requirements at Layer 5.
00:00
But at Layer 7,
00:00
that's where I can allow or deny traffic based on time,
00:00
based on Active Directory group membership.
00:00
I can block downloads from
00:00
servers that don't have certificates
00:00
or certificate signed by trusted authorities.
00:00
I really get very strong capabilities up at Layer 7.
00:00
I can block traffic that has malformed HTTP headers.
00:00
Lower layer firewalls don't
00:00
understand the HTTP protocol,
00:00
but a Layer 7,
00:00
Web Application Firewall absolutely understands.
00:00
We can block things that are
00:00
>> likely to lead to cross-site
00:00
>> scripting or other malicious attacks, code injection.
00:00
We get the real intelligence up at Layer 7.
00:00
Now when I'm talking about firewalls,
00:00
or specifically really proxies,
00:00
in firewalls as well,
00:00
but there are two things that we want to consider.
00:00
I want to control what people
00:00
inside my network can do outside,
00:00
and I want to control what people
00:00
outside the network can do inside.
00:00
We have forward proxies and reverse proxies.
00:00
If I'm trying to prevent or limit what people
00:00
outside my network can do coming inside,
00:00
so a malicious user out on the Internet sending a
00:00
denial-of-service into my land, that's reverse proxy.
00:00
If I want to control what
00:00
internal users can do out on the Internet,
00:00
or at least monitor it, that's forward proxy.
00:00
Layer 7 firewalls can do a forward proxy,
00:00
can do a reverse proxy.
00:00
They have a wide range
00:00
of criteria they can make their decisions on,
00:00
and this is what really
00:00
>> gives me the greatest capability,
00:00
>> but it's at the cost of speed.
00:00
Lower down the OSI model,
00:00
I get fewer decisions,
00:00
but I get speed.
00:00
When I go up the OSI model,
00:00
I tend to lose speed but gain intelligence.
00:00
Also, a lot of
00:00
devices at the upper layer can be very costly as well.
00:00
That's not always, but that's just a rule of thumb.
00:00
We talked about firewalls in
00:00
the OSI model and that helped us
00:00
put firewalls and the OSI
00:00
>> model a little bit of context.
00:00
>> Firewalls filter based on rules.
00:00
Firewalls operating at Layer 3, 5, and 7.
00:00
Layer 3 firewalls have
00:00
access to what's in a Layer 3 header,
00:00
Layer 5 firewalls have access to
00:00
that session information that's in the Layer 5 header,
00:00
and Layer 7 firewalls have access directly to the data,
00:00
which is why we can filter based on content.
Up Next
Configure and Verify IPv4 and IPv6 Access Lists for Traffic Filtering
Virtual Lab
Network Address Translation and Port Address Translation
Firewall Best Practices
Configuring IPtables
Virtual Lab
WAN Technology: Part 1
Instructed By
Similar Content
