9 hours 49 minutes
okay, Our next topic is firewalls. When we think about firewalls, the first thing we should think about is security, and I think that's probably true for most folks.
What we want to think about firewalls is their purpose is to isolate the network or to divide the network into different security zones.
We talk about security zones. The idea should be based on trust. For instance, our local area network, our internal network. R L A N. That's our most trusted network.
I can control the systems that are in the l. A n. I create the security policy. I provide the authentication rules. That's my network. So I trust my network now. The ultimate and entrusted would be the Internet. Of course.
In the middle, many organizations have what's referred to as a DMZ, a demilitarized zone, and that Dems is usually considered to be semi trusted. Because even though it's under my ownership and management, I'm going to allow the general public to access the network.
That's where my servers that I want to be publicly available are going to go.
For instance, my Web server. I want the public to come to my Web server because I want their money. Come visit my site, come spend your money.
When we talk about isolating these networks from each other, we're going to use Firewall to do so. And that firewall is going to filter traffic based on a real set.
We talk about that as rule based access control to determine what traffic should be allowed between networks.
This is just a little illustration of a DMZ. Conceptually, we have the untrusted Internet goes through an external firewall in the DMZ. Then we go through an internal firewall to access the trusted L. A. N.
This is why it's sometimes referred to as a screen subject
is often because the Dems is between two screening devices.
Even if you don't have devices in the DMZ, sometimes it's still set up to kind of provide a buffer between the Internet and the trusted Elliot,
the service that you have in your DMZ. Like I said, you're likely to have the Web server there because your Web servers in the DMZ you're going to have a Web application firewall there. You always put your firewalls that are specific for applications beside the device that they're protecting, So Web application firewall protects a Web server,
those both would go in near Dems.
You could also have a honeypot, which is sort of a decoy. To distract Attackers.
You might have an intrusion detection system and there to analyze for malicious activities.
You're going to have several different devices in your DMZ. All those devices should be hardened. When we talk about those servers that are Internet facing and the fact that they're hardened. We refer to those as Beijing hosts. We want to make sure that they're locked down. They don't have any extra services or devices or any sort of extra ports open.
We want those to be hardened as much as possible.
Again, firewalls are designed to provide filtering between zones of trust. Firewalls can either be software or hardware based.
That's always a kind of strange idea, because software is no good without hardware, and hardware is no good without software. But the idea is I can buy a software product like PF Sense in the name of one and install it on at Lenox Machine and turn that Lennox machine into a firewall. What makes it a firewall is a software or I can go out and I can buy an essay firewall from Cisco, and that box is nothing but a firewall. Sometimes it's called a client space. It might be called a black box firewall, but the idea is that the device is nothing but a firewall and that it would be hardware based
as a general rule. You're going to get better protection. Better performance from your hardware based solutions. As a general rule, your software be solutions will be much cheaper. Really. It depends on what your priorities are in this instance.
different firewalls operated different layers of the OSI model. You really have three layers of firewalls. You have a layer three firewall, a layer of five firewall and a layer seven down at Layer three, the network layer. If you think about what happens down at Layer three, you have I p address ng.
One of the things a Layer three firewall can inspect for is source and Destination I P address. It can also peak just a little bit into Layer four headers and make decisions based on source and destination port. That sounds like that's pretty good inspection, but it's actually very, very broad. It's almost too broad to be really useful.
Let's say, for instance, I'm concerned about a S y N Flood,
which is an exploit of the TCP Protocol.
A Layer three firewall is really just kind of an all or nothing. I don't get to block misbehaving TCP I can block all TCP traffic or none you can really see. That's really overkill, especially because all the network services and applications need TCP to run.
If you were to block TCP at your firewall, you have almost no traffic at all. Coming through this doesn't get really particular.
I can just block floods or just blocks in packets that don't have an AC or a syn ack. I can't get into details here.
Often, these layer three firewalls are really just routers with access control lists configured on them.
I can create very basic access control lists on my router or sort of turn them into what we refer to as a packet filtering or static packet filtering firewall.
This is usually your screening router that is kind of the first point of entry into your network. These devices sort of act like a bouncer, and their job is to keep what's obviously refer off off your network
traffic coming through port 1 61. Nope. We're not allowing S and M P traffic coming through traffic on port 53. Nope. We don't have a DNS malformed packet. Get out of here at layer three. What you get is very basic. Very much all or nothing. Packet filtering. It has its place.
You don't want every single type of traffic directed at your network to go through deep packet inspection. What you get down at Layer three is you get fast but very broad packet filtering.
As we go up the OSC model, we get a little bit more understanding. We get a little bit more knowledgeable with a layer five firewall. These are sometimes referred to a state full filtering with state full filters. Those firewalls understand the state of the connection. And by that I mean things like who initiated the session, for instance, Maybe I don't want traffic coming in that wasn't solicited. If I sent out a DNS Curie, then I want the DNS to reply to come through the firewall. But if there was no DNS Curie, I don't want to response. I don't want to reply coming through.
You don't get that degree of intelligence down at Layer three. You're just looking at source and destination I p. Import. But at Layer five, you can get information on who initiated the session and allow traffic back based on the criteria, So that's very helpful.
Also, you generally get an understanding of the lower layer protocols at Layer five, so you can look a little bit of syntax. And for protocols that aren't behaving according to their RFC, sometimes you can get that understanding that layer five
where you really get the smart is up at Larry seven and these are application firewalls.
They're sometimes called proxy servers. You can hear them called application firewalls application proxies, but they are at Layer seven.
These are the devices that give us deep packet inspection.
They have understanding of the actual content of the packet. If I want to block traffic that has violent content to the sales people after five PM or between eight and five, I have the degree of understanding and complexity up at the application layer. I get great deal of control when I'm using application layer proxies.
The thing about the application proxy is, each proxy is focused on particular application. You have Web proxies, which are very comparable to Web application firewalls. They do pretty much the same thing, and they're focussed on http and https traffic
any time I'm concerned about malformed http headers or code injection or cross site scripting attacks that specifically exploit a Web server, then a Web application firewall is going to be helpful for me
again because they're up at Layer seven of the EC model. I get a much greater understanding of the data and all the hunters, as well as integration with active directory time content and a deep knowledge of specific application protocol.
When we're talking about proxies and we said they do this deep packet inspection, I also want to mention that you have the both forward and reverse proxies. When we think about a forward proxy, its job is to inspect traffic from your internal network going out into the Internet so from the inside out,
and that's going to make it that way. You can track and control what users do and view out on the Internet.
There's also the reverse proxy, which is going to be control. What users from the Internet can do in your environment
again. You're going to have a DMZ where you have your Web server configured in. The whole purpose of that Web server is going to be share information. You're going to make folks from the Internet. First, send the request through your Web proxy or your Web application firewall, and that's going to be referred to as a reverse proxy.