Now in our next section, we're gonna take a look at firewalls. And, of course, firewalls are a tremendous benefit when we're looking at mitigating threats from network attacks. Ah, but again, the firewall really protects us from the bad guys outside. So we can never, of course, overlook the potential threats from the inside.
So when we take a look at firewalls, their job, of course, is to enforce network policy.
And a lot of times what we look at a firewall to do going back to the side is to separate out untrusted from trusted. Now, of course, it doesn't always have to be Internet firewall internal network. We can have firewalls internally as well, of course, to segment out different,
different levels and of trust, if you will.
But primarily a firewalls job is to enforce the network policy. Now a firewall can ah usually will work on rule based access control, and what that means is a series of rules air configured in the firewall makes its decision based on those rules. Often we refer to those rules as
a C. L's access control lists.
So another thing that we would want to be aware of with a firewall is firewalls ca NBI hardware or software With a hardware based firewall. You have a debate device that is purely a firewall. It's a little black box, a little appliance, and that device does nothing other.
Now if instead we chose a software option for a firewall that would be installing software software applications on a system so we might take a Windows 2012 box and install Isis Server, which is Microsoft's version of firewall on that window's 2012 box.
The problem with doing that, though, is that still
a Windows 2012 box, meaning it's got Web browsing. Service is it has other capabilities. So we're generally better off if we take a box designed to be a firewall and let it be a firewall, as opposed to taking a computer and making it a firewall. And even if you were going to take a computer and make it a firewall,
I would recommend something like more along the lines of a Lennox box that's already very, very scaled down. But
when you choose hardware options, you get better performance, you get better security.
Ah, so a few things here. Your ah, firewall shouldn't be fording I p packets. Um, generally our duel or multi home. All that means is firewalls have multiple interfaces to connect trusted from untrusted.
And then we've got several different types of firewalls to mention because they're not all created equal.
But they have their own place in their own benefits, their own pros and cons. When we look at a packet filter, we generally consider static packets, your packet filter, static devices, and these are not very I want so that they're not very powerful. But they don't give you very many options,
because when we look at a packet filtering firewall, they make decisions on three pieces of criteria
I p. Address, port number and protocol
so I can filter traffic based on source or destination address. If I want to block all traffic to the 10 network, I'm good or, if I want a block all traffic to port 80. I'm good. I can do that with firewall or block all TCP or UDP traffic, which I probably don't want to do.
But I could do that at the packet filter level.
What I can't do is really make any decisions outside of that black and white.
I'm gonna allow Port 80 or not.
Ah, but I can't do things like inspect http headers or anything More intelligence. This is kind of an all or nothing. Usually when we talk about these packet filters, these air on the perimeter of our network and they're called they're screening routers, which basically means it's the router we're using to connect up to the Internet.
And it is configured with access. Control is to make very broad,
It's kind of like the bouncer outside of a nightclub. If you think about that, the job of the bouncer is to very quickly figure out what's riff raff and should or what should be allowed in. That's what this device is. Traffic coming in on Port 80. We don't have a web server. Get out of here. Malformed packet. Get out of here.
So that packet filter is just a very basic Yes, no.
Now, as we get more elaborate and we come up to a state full firewall, this is a firewall that has a little bit more intelligence in a little more flexibility, because what we can do here is we can acknowledge the state of a connection. And for those of you network people, this is kind of session layer stuff.
So what a state full firewall is aware of
is who initiated the connection, for instance,
I don't want to block the ns coming through my firewall. Dennis is such a valuable service. I need that name, toe I p resolution. I don't block D N s,
what I found is coming into my network. We've had d. N s replies that were never solicited. You know the idea. If I ask you a question, I want you to answer.
But if I have a random D. N s server
connecting to me saying, Hey, this is ah ah, my information, add it to your cash. That's not a good idea.
So what a state full firewall will do is it will allow a response to come through on Lee. If there was a query that initiated the process. So I'll send out a d. N s query and because the query was sent now the reply will be allowed back through.
But if it were simply, an unsolicited reply would be blocked.
Okay, Now we go up Ah, all the way and often their dynamic in nature opening and closing ports is necessary.
But where we get our true intelligence is where we go up to proxies and with proxy servers. These are types of firewalls that provide a lot of other service is in addition to being firewalls, two main types, circuit proxies and application proxies.
An application proxies would be the one I would have, you know.
And so for those of you familiar with the OS I reference model, an application proxy operates at the application layer of the O. S. I now, for those of you, not network folks, I may not be particularly meaningful, but even take the name application proxy. These devices are application aware.
And from our perspective, what's most valuable here.
Content. These devices can make decisions on content.
So if I want to block my employees from going toe websites with violent content, I can't do that with a packet filter firewall that's way beyond what that device does That just looks, source and destination i p
at ah, session firewall or a state full firewall. I don't have that decision making capability, either. It's moron who initiated the connection.
But when we look at an application firewall on application, Firewall does what we call deep packet inspection, meaning it removes all the wrapping all the way up to the actual content. Um,
other things that an application proxy would do is it could integrate with our, uh, integrate with our directory service is structure perhaps active directory and make decisions based on active directory groups. So I could let the trainers go to a certain website and yet block the salespeople
again. We don't have that knowledge and other types of protocol. Our firewalls.
We could, ah, block users from downloading files not signed by a trusted certificate authority. We have, AH, content inspection of mail messages, so we want to filter out all e mails with the words free offer. We can do that at the application layer.
All right, so the next thought is, Well, why don't we just use application layer firewalls
a couple of reasons. First of all,
they are slower again. That idea of deep packet inspection is almost like a guy going through the line at the airport, and he's put that
tube of toothpaste in his backpack that he's taken on the plane. So the security guards pull everything out of the backpack, find what they were looking for. Put everything back in That slows the line down. Same idea with an application proxy.
Another problem with an application proxy. Potentially, they could be very expensive.
So you get a high degree of service is, But you compromise speed and cost. And I will tell you that you can get application proxies that perform very, very well. Good performance, good speed. But it's just gonna cost you that much more money. Okay, so they all have their place on the network.
Now, again, I want to stress that the primary job of a firewall was to separate out, trusted from untrusted. Okay, so if we look at one of the big things and I'll just turn this light one of the big things that we think of using a Firewall four is providing protection from
the external network. You know, in this case, you might think of it is the Internet.
So we have the ultimate untrusted network. If this were connecting to the Internet,
my internal network is trusted. But then in this diagram, we've created what we call a d m z a demilitarized zone. This is really considered semi trusted because they're my systems. I've configured the security, but we're also letting the general public in that DMC.
This is my Web server. I want people to come to this Web server because I want them to buy my product
so I allow public access. It's still to some degree under my control, but I certainly wouldn't consider it to be truly trusted.
So what we have is what's called a screen sub net. We have external untrusted firewall,
semi trusted firewall, internal network. So we have this little area between the two firewalls, and we just happened to put a BM scene between them. You don't have to, but the idea is firewall,
space firewall, whatever's in here now. One of the things I will point out also is it's really important to use what we call the vendor diversity. Here.
I can't be running both the same make and model device I can, but it's not a good idea, because if we find a compromise for firewall, eh?
If he's running the exact same software, same version making model, that compromise will work here. Justus well,
so we might want to Sisko a s a firewall here. We might want to Jupiter Baha Juniper behind. But the idea is vendor diversity's important, and it's not just important here. You think about that for redundancy sake throughout your networks. Now, another service that firewalls often run, they run a service called
Network address translation.
And what network address translations job is is to hide the internal network from the untrusted network from the rest of the Internet. So I if I'm a network a network address translation device, I stand between the internal network and the Internet.
All traffic comes through me.
I intercepted. And here's where the NATS service really works is I strip the true source address off the I P packet and replace it with my own external address. So all traffic on the network that's going out looks like it comes from me. So that hides the entire internal i p addressing scheme,
it s so that gives me a little bit of security, but also with the sub protocol called Pat Port Address Translation. It allows me to have many internal hosts I'm like have 50 computers inside and they're all simply using my one public I p address.
That saves me money as well, Because you have to You have to pay for these public I p addresses.
So I'm gonna pay for that. Nat Devices External I p. Everybody on the inside would use that one external i p ah, if you're familiar with the idea we're running out of i P addresses not really running out of i p addresses because of NAT Network address translation allows numerous hosts to be masked behind
a single external address.
It also allows me internally to use any I p dressing system that or scheme that I want. It does not have to be unique. And that's a real benefit because they're certain ranges of i p addresses that we would want for an internal network.
As a matter of fact, there are three I p address ranges that are set aside just for that purpose.
You may be familiar with the 10 network,
and if you go and do an I p config at work, you'll probably see the 10 network or you're very likely to. There's also the 192168 network is commonly used, and what has probably used a little less commonly is the 17 to 16 through 17 to 31 network. But those Air three address ranges
that are set aside for private internal usage.
Ah, what that essentially means is Internet routers should be dropping packets with source your destination of those addresses. So that gives me a little bit of security, perhaps against spoofing from the outside. If you're trying to impersonate a legitimate host on my network trying to come through with an I P address of 10 for instance,
that should be dropped along the Internet Routers
has not foolproof, but it's a step. So now and pat allow all of this their primary purpose to protect internal I P addresses, all traffic is presented as being from the Nat device. It allows me to use my internal addressing scheme
whatever I want that to be, even if it's duplicated on other networks,
because that internal I p dressing ski never hits the public Internet. So a lot of good benefits with Nat impact there frequently on firewalls there. That service is on proxies, and
often it's on routers as well. So it really is more of a software service that's running on a hardware device. It's not, you know, really physically bound to anyone device.