Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This first section introduces you to Firewalls, what they do, and how they can be both software and hardware. He explains what firewalls allow users to do, how they control the flow of in/out traffic and explains why it is the first line of defense to the network infrastructure. You'll also learn the concept of packet administration, what impact that has on network security and network traffic and why it is essential to the firewall life cycle. [toggle_content title="Transcript"] Welcome to Cybrary.IT, my name is John Oyeleke subject matter expert for the security plus certification. This is section 1.1 of the security pro certification. The first topic we look at is firewalls. Firewalls; what are they? Firewalls are hardware or software implementations we have on our networks or our hosts to filter traffic. I'll say that again, firewalls are software or hardware implementations we have on our networks or hosts to filter traffic. When we talk about filtering traffic we are looking at incoming traffic and outgoing traffic. What do they do for us the firewalls? Firewalls allow us to limit what comes into the network or what leaves the network, what comes into the host or what leaves the host. We are able to set rules on these firewalls to dictate what sort of traffic leaves our networks, what sort of traffic leaves our computers, what sort of traffic comes into our computers. In these days of cyber security we have to focus on very important issues as to confidentiality, integrity and available of resources. We need to understand and limit, pay attention to who is having access, why should they have access? Firewalls can also be considered as the first line of defense, the first line of defense for any network to defend against the public network, against the internal network. We have the public network that is the internet. Any traffic coming from the internet, your first line of defense should be a firewall. The firewall will inspect the traffic to see if its traffic that should be allowed into the network or denied access to the network. The firewalls will also inspect outgoing traffic to see confidential stuff should not leave the network. Private stuff should not leave the network. Firewalls are in place to prevent that as well. Firewalls not only prevent information, they also prevent access to the internet from the internal network. We have several types of firewalls, we have packet inspection firewalls. As the name implies, the packet inspection firewalls, they inspect every packet, packets coming into the network or packets leaving the network. The firewalls will have a set of rules by which they inspect these packets. If a packet coming in or leaving the network triggers a rule, the firewall moves to block that traffic. Where no rules are triggered, the firewall would allow the traffic, whether in or outgoing. We also have application filtering firewalls, these are firewalls that look at what applications are being called on by the traffic. Should network traffic be calling on applications that they shouldn't, the firewall will prevent such communications. Those communications do not get to the end server. We also have stateful firewalls. Stateful firewalls maintain a state table for all outgoing traffic such that when there is an incoming reply to a traffic the stateful firewall can say, "Yes, you had an outgoing leg, so we can have an incoming leg for that." Firewalls could be used to protect then network, to implement rules on the network, to ensure that network traffic can only go in certain ways. We could also, firewalls are used for DMZ construction, (Demilitarized Zone).I'll drop a diagram to show how different types of firewalls could be used even if we have a demilitarized zone. Firewalls could be used in this strategy where we have firewalls used back to back. This is an example of a commercial organization. They have their internal network over here, and that is the external, the public network is on the internet. This organization has staff, users, and computers on their internal network. We also have public users coming in from the internet. This could be an example of application firewall, an application filtering firewall. It could also be packet inspection. This firewall could application filtering to see what sorts of applications are being called, what sorts of commands are being called by public users wanting to access the web server. It could also be inspecting every packet to see those malicious content, malicious payloads are not brought on to the web server. That is an example of how we have, we use application filtering firewall or a packet inspection firewall. On this side, we could also have a stateful firewall. A stateful firewall will maintain a state table, these users over here periodically might have access to the web server, and they have access through this server. The firewall maintains a state table to say, "Okay, there was this outgoing traffic, we can also allow an incoming traffic for the outgoing traffic because it maintains a state table." Users coming on from the internet are not allowed this way because there is no outgoing leg for their traffic so there can be no incoming leg for that. However, certain times, there could be a new traffic coming out from the internet needing to go here, though there was not outgoing leg for that new traffic coming in, what the firewall will do is to inspect the packet against the rules. If the rules are not triggered, the firewall will let the packet through, but if the rules are triggered, the firewall knows to block that traffic. Firewalls basically work by these rules, either to allow traffic or to block traffic. We can specify the traffic they allow by IP address, we can specify the traffic they block by IP address. We can specify the traffic they block by port address. Our firewalls will work based on the rules that we create and the rules could be to block traffic by either IP address or port address or some other considerations we might have. In this scenario, these firewalls are used back to back and these allows us create DMZ. The DMZ is what we call the demilitarized zone. This is a zone you put public servers, like the web server. You need the users on the internet to have access to your server. It is bad practice to put that server on the internal network. Other types of attacks could be used to carry out, they could be used to lead that server, if it were there, and find their ways into other systems or servers on your network. This could breach confidentiality, hence, we put that server in between 2 firewalls, there you have access from the internet, we don't know you, we don't trust you, yet we need you have access to this server. That way, using these firewalls we can control your access only to this server. A user on the internet can find their way into the web server but can't find their way into this network because of these firewalls. This is what we call a demilitarized zone. The DMZ is a safe portion of your network you allow only trusted persons. This is very important in today's world. Some organizations put their web servers in the DMZ. Some other organization put their email servers in the DMZ. Users on the internal network can get there, users working from home or remotely can also get there. 00:09:03-->00:09:15 However, care is taken to ensure that they can't get into the network using these firewalls. When malicious people attack your network, what they try to do is cripple your firewalls. That way they can defeat your defenses, as we can see. This firewall explains the definition of the first line of defense, traffic coming from the internet will meet this. That is the firewall. It is the first line of defense between your internal network and the external network. Our next topic is routers. Routers are network devices we need to route traffic within our networks. These facilitate delivery of packets based on IP addresses. We must follow secure router configuration. Routers should be properly configured, not just deployed straight out of the box. They should be properly configured to have very proper router configuration tables. Routers have, they could be manually configured or automatically configured which is dynamic. This is good for larger networks. These routers configure themselves when deployed. We should follow secure router configurations to ensure that we implement passwords on our routers, otherwise, malicious persons could have access to your routers, and they could corrupt your routing tables. This would allow for redirection of your network packets, redirection into other systems such that they could eavesdrop on your network traffic. Malicious persons starting to eavesdrop on your network traffic is a breach of confidentiality. Your traffic could still get to the destination but now confidentiality has been breached. It would also be done in such a way that they could redirect your traffic so that it doesn't get to the destination, availability is now being breached. We need to take proper care to ensure secure router configuration. Next technology we look at is switches. Switches are network devices that facilitate packet delivery based on the Mac address of the device and the port. We have hubs. Hubs are devices that can receive packets on a receiving port and distribute to every available port. The problem with hubs is that they work with electricity, hubs do not learn. If you have a hub with a receiving channel and also distribution channels, distribution ports a hub would receive the signal on this port, a hub will send to every port on the network even if the parcel or packet was for this device. A hub will send to everybody. We assume, the first time a hub does that, what about the next time? You think it will learn, no. a hub will send everything to everybody again. If you had 3,000 users on your network, it will send 1 packet to 3,000 users. What if everybody is sending a packet? 3,000 users sending 3,000 packets to 3,000 users so there is traffic all over the network, this could break down your network, congestion, hence we move to switches. When you turn on a switch for the first time, a switch will deliver the packets to all the ports like a hub, however, if the packet was meant for this PC, the first time the switch will deliver to every hub, every port, and the switch will deliver the packets to every port. The first time but it will then learn the Mac address of that device. The Mac address is a 42 bit address expressed in hexadecimals, it has 6 pairs of characters, could be punctuated by colons or hyphens. This is an address that is used to uniquely identify a device on the network such that we can say, "Traffic is for this device, or for that device," or we can prove that traffic came from a specific device. The Mac address is like the fingerprint for each device. The switch will learn the Mac address of the device and that port, the next time you have the switch send the packet it doesn't go to everybody anymore, rather, it will go to that specific port because it knows that device exists at that port. Switches are better for our networks, switches allow us to deliver traffic based on port numbers or Mac addresses but basically they learn the Mac address. That way they are able to deliver packets to specific ports because they know the Mac address of the device residing at that port. Switches could be used to facilitate network traffic and also the VLAN management, virtual local area network management. We could use switches to achieve this. Another technology we use on our networks is a load balancer. Load balancers allow us to ensure availability of resources, availability of servers or data on servers. The idea for load balancers is that, as the name implies they balance the load on the network traffic, they balance the load on the servers. In this scenario we have hundreds or thousands of computers. If we were to have only computer A on the network that probably could be too much work for that server. There could be too many connections in and out of that server. This could overtime bring that server to a standstill or crash. The strategy is to have multiple servers in place and the load balancer. The load balancer has designs to ensure that load is distributed. Some load will be sent to server A, some to server B and some to server C. it does that in a particular fashion to ensure that all servers all equally working. That way, no one server is overwhelmed with too much traffic, causing it to crash. In the background, at the end of the day, synchronization takes place to ensure that everything on A is on B, everything on A is on C, everything on C is on A and B is on A and B is on C. That way, synchronization also ensures that the servers have equal content. At the end of the day, if we were to lose one server, there is no loss of availability because the work is still on A and C. work for users on the network or the general public could still be available. The load balancer is a very important device on our networks today to guarantee availability of resources. They balance the load across multiple servers. [/toggle_content]
CISSP CISM CISA CHFI CSXF CEH, Cyber Security Specialist & Trainer
Subscribe to become an Insider Pro and get access to premium content such as: