Part 13 - Firewalls, Proxies and NAT

Video Activity

We cover quite a bit of ground in this section. The topics discussed span several layers of the OSI model from layer 3 up to layer 5. And as with many of the sections in this module, we look at the various security threats associated with the devices, protocols, and layers at which they reside. We begin by discussing NAT (Network Address Translatio...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 41 minutes
Video Description

We cover quite a bit of ground in this section. The topics discussed span several layers of the OSI model from layer 3 up to layer 5. And as with many of the sections in this module, we look at the various security threats associated with the devices, protocols, and layers at which they reside. We begin by discussing NAT (Network Address Translation) and its associated protocol, PAT (Port Address Translation). These protocols serve to map private internal IP addresses to public IP addresses, .i.e the internet. This discussion then leads into the security issues associated with the upper OSI layers. Firewalls and how they implement security rules are covered next. At their core, firewalls allow or block traffic using rule-based access control. These rules are implemented either in hardware and software and we'll examine the different types of firewalls in a moment. The key function of firewalls is to separate traffic into trusted (internal network) and untrusted (external network, e.g. the internet) zones. The discussion of the various types of firewalls begins with examining the OSI layers where they operate. Layer 3 firewalls utilize packet filtering, which are effectively routers with ACLs (Access Control Lists). ACLs contain the rules which govern how a firewall directs network traffic. It looks at network and transport layer packets, IP addresses, ports and flags when deciding how and where to direct traffic. It's noted that layer 3 firewalls are not stateful and utilize an "all of nothing" approach to packet filtering. This approach keeps malformed packets off the network, though while quite important, is not able to block viruses and performs no content inspection. Layer 5 firewalls are stateful firewalls. They use context-dependent decisions to implement access control. Stateful firewalls keep track of a multitude of conditions such as the state of connections and determining whether a reply is expected. Many threats exploit such vulnerabilities at the transport layer. Other upper layer firewalls that we examine in this section are proxy firewalls and application proxies. Proxy firewalls act as a layer 5 shim between layers 4 and 7. These type of firewalls mitigate exploits targeting the TCP handshake such as SYN flood attacks. Application proxies are true content inspection firewalls and implement non-repudiation. They actively look out for malware and other malicious content coming across the connection. These types of firewalls possess far greater intelligence than layer 3 firewalls. We conclude this section with a discussion of security zones such as the DMZ, bastion hosts, and multi-homed firewalls. We then circle back to discussing how NAT/PAT are used by firewalls to hide internal IP addresses from the external network. Finally, we cite common best practices for firewall configuration such as blocking unnecessary traffic like ICMP, keeping ACLs simple, using implicit deny, the principle of least privilege, and ingress and egress filtering. As promised, this section is info-packed!

Video Transcription
Okay, let's go ahead and move forward and talk a little bit about firewalls, proxies and then a service called in that network address. Translation. And then it also has a sub protocol, if you will. Or sub service cult Pat, which is port address translation.
So talking about firewalls, you know, firewalls to have the job of blocking and allowing traffic,
and what they're usually used for is to segment out trusted from untrusted. So, for instance, of we just correct collected the connect directly to the Internet.
That's certainly an untrusted network. And then we have our internal network, which is trusted. So we want a firewall inspecting traffic from untrusted to trust it, and we'll continue that discussion.
So ultimately, firewalls use rule based access control, which means they evaluate essentially,
ah, rule set created, you know, could be as basic as a screening router with access control list or could be in much more elaborate means of inspection all the way up the top layers of the O S. I model. But at any rate, there has to be an established rule set
that they used to determine what to allow and what to block. Now three main layers of firewalls layer three, layer five in layers seven.
So at layer three, we have what we refer to. And it's just a little illustration of suffering out the separating out, the internal versus the Internet and that providing inspection to and from All right, eso when we talk about packet filtering firewalls.
Ah, lot of times these were referred to a screening routers because they operated layer three and they are routers.
They're routers with access control lists. And if you look at that term packet filter goes back to layer three of Theo S I model where we have source and destination address information, we can also look into port numbers of sourcing destination port.
And if this layer we can also block based on protocol, these were very kind of all or nothing devices. You know, I kind of think about the screening routers like the bouncer to a nightclub. The job of a packet filtering firewall router is to keep what's obviously riffraff off your network.
So malformed packet. Get out here.
Traffic coming in on port 53rd bed, Port
23. Uh, we don't have the tell net service or we don't We don't allow that in or, you know, just the things that are obviously should be blocked from the network.
Ah, they don't have any sort of depth of thought. And the problem with these is they tend to be very all or nothing. So, for instance, I'm concerned about a sin Florida TCP syn flood. But don't block TCP from coming into my network. That would block a host. A multitude of other service is,
but I want to block misbehaving TCP.
I can't do that with the packet filter. It's all or nothing I'm concerned about unsolicited de NS replies. I can't block D. N s replies because there will be legitimate ones coming in a packet filters all or nothing.
So if we want a little more intelligence, we're gonna come up to the A little higher to the S. I model layer five and we're gonna look at ST full firewalls
and then perhaps circuit level firewalls as well. So when we talk about state full firewalls, they are context dependent
when we talk about context dependent access control. So let's go back to the idea of unsolicited replies right when I sent out of the NS query. I want to reply, but I don't want replies. Deena's replies is coming through my firewall. So a state full firewall keeps track of the state or,
ah, that means the connection, if you will
and realizes. OK, I sent a query. We're expecting a reply back,
so it has that sort of level of dynamic packet filtering capabilities. So that's a plus. And we can look more misbehaving traffic more so than blocking or allowing. And because we're up a layer five, we have that knowledge of lower level protocols.
Now they're comparable. We have approx it. Proxies
on proxies could be circuit level, which your layer five or application layer, which are Let your seven, of course. So when we look at circuit level again, layer five, they work with session layer, and it's almost like a shim between layers four and seven. They can examine information
all the weight.
Oh, um,
and your application has to be aware so there's a little more configuration for a circuit level firewall, but they're able to monitor the TCP handshake and look for problems like those sin floods or Christmas tree tax or Finn attacks or whatever we might be looking for.
So your circuit level firewalls are smarter.
Then layer fog, layer three. But they're not quite as smart as the application proxies that we talked about earlier. This is where we get true content inspection. We can get non repudiation. We can get very, very sophisticated decision making.
Uh, look for virus A software Look for,
um, worms. Look for content in email that would be suspicious or preventing content access to violent websites or other inappropriate websites. So we get a lot of intelligence up at the top of their application proxies. But they are more expensive, and they are slower.
so there are a couple of ah, Microsoft has a proxy server cult, Internet security and acceleration. There. Ice a server there SMTP proxies, Web proxies, FTP proxies, all sorts of application layer approx is now Another function that firewalls have
is, uh, or another function will look at is not just block or a lot allowed traffic, but like we also said, isolating security zones trusted,
semi trusted and untrusted. So, for instance, when we talk about, you know, we've already said untrusted might be the Internet trusted. Might be our local area network. Well, we can create what's called a D. M. C a demilitarized zone, and this is sort of that buffer area between the Internet and our trusted land, where we might
puts servers that we want to be publicly available.
But we still want them protected, of course. So the D m z you know, Internet Firewall DMC Firewall Land will see that Just a minute. There's a phrase called Bastian hosts and Baskin hosts are defined in ah, the I S C Square book
as being hardened servers.
So any server that I would put on make publicly accessible. Of course, I really wanna lock down as much as possible. So here's a little illustration of ah sub net that screamed something that is often how we refer to it, because it's in between two screening devices. The firewalls.
Ah, and you can see my putter Web server, maybe a mail server, D. N s server.
I've also seen screen sub nets where there is no DMC and certainly is just a area of dead space that we might want an attacker to have to get through to firewalls. Also, vendor diversity is important here. We don't wanna have necessarily. Two devices from the same vendor because of a compromise is discovered on
you know, this firewall. It would also be,
uh the second firewall would also be susceptible to the same threat.
All right. Ah, multi home firewall is a solution where we still create the separate boundaries of trust. But we do it on a single server, a single device. And of course, it has that single point of failure, but it would be cheaper
again. Screen sub net. An area between two firewalls and diversity of defense means different boundaries are I'm sorry. Different vendors for the devices
and one of the things that most firewalls uses. They use a service cult, Nat, network address, translation and the purpose of network address. Translation is to hide internal I p addresses and present all traffic is if it comes from the Nat device.
So, for instance, if we go back and we look at our firewall,
So our external firewall Ah, that's gonna have the direct connection to our router. The red device down in the bottom, right.
You see that there would be two interfaces one connected to the internal network. One connected to the external network. Really, that's not the best. Let's come over here and look. It may be a multi home firewall, so the interface connected to the router, which would go out to the Internet, has a public address.
Everything behind that firewall will use an internal I p address.
Ah, and I'll talk about the three ranges of internal I P addresses in just a moment. But ultimately that provides a security service because everything going out to the Internet appears as if it's coming from unturned. All, uh, from the single device, the firewall device
and all the internal I P addresses or mask. And that's network address. Translation. It allows me to use
any range of I P addresses, whatever I want to do internally. And I don't need publicly Route Herbal I P addresses. Now, if you go back to true Matt Network address translation.
For every internal host, we needed an external interface. So for every you know, 10 1 10 to 2, not three, you know, every single system inside that needed to get out, we would have to have a public interface now that gets very cumbersome, not got 300 internal hosts.
So what allows that one public I p address being mapped Too many internal hosts
is called Pat Port Address Translation, and it really is a subset of Nat. If you can see the bottom bullet point here, their pad is what allows us to have many internal I P addresses to share one public address. Most of the time when people say Nath, they're really talking about Nat Pat working together.
Um so the big advantages it hides our internal i p addressing system pad allows us to have a single external I P address and many internal I p addresses. You know, we've we've heard over running out of I P addresses running out of I p addresses. Well, mostly
because of not Pat. We've really put a Band Aid on that problem.
You know, it can be a performance bottlenecked. Sure, Nat, Pat and of itself doesn't filter from bad content, but they're on fire Or they could be on it. Could be a service running on firewalls, proxies or routers, and it does a very specific, very helpful function. Now, I mentioned internal I P addresses just a little bit ago.
Those follow a request for comment, or f c
I doubt that's testable. But just should you see that and basically these I P addresses or seven excited exclusively for internal use? The 10 network
172.16 through 172.31 in the 192168 network. I would certainly know those for the test. They're very important numbers, and I'll guarantee if you go home,
you're gonna likely find 19 to, you know, do I pee configure your internal system. You'll see 1921680 dot something at work. A lot of times you'll see the 10 network,
and it's It's a pretty standard convention to use thes I P addresses internally for security sake.
When we look at overall firewall issues, they do perform, ah, service where screening traffic and that can slow things down. Another issue with firewalls is they can block things that we want to allow. You know, a lot of times when you're configuring that firewall from scratch,
we have, you know, firewalls deny all by default,
so we might find that traffic that you know should have been allowed in is by default blocks, so we have to be very consistent. We have to document well, our firewall rooms.
A lot of times firewalls can't can't explain, can't look in encrypted traffic and depending on the layer that your firewall operates and it may not provide all the security service is necessary.
But ultimately we can kind of go back to some general rules. Four fireballs
block unnecessary traffic. I, C and P is your enemy. Block it now again, when I say block unnecessary traffic, I don't mean just come into work on Monday and start blocking ports on your firewalls. Your organization needs to have a very good policy and very good directives on fire. Well, configuration.
Keep the access control this simple. Ah, an implicit deny. So if, um, no matter what the rules are, if I don't explicitly allow something, it's denied by default, and there's several other I'll let you go through. We mentioned directed broadcasts easier earlier.
I would mention blocking traffic going
out of the network,
so it's starting internally going out if it's starting internally, which have an internal address.
If I have traffic from the inside going out
that has an external address. That's a problem. A lot of times that indicates maybe I've got malicious software. I'm being used to launch an attack on another network. I'm acting is a zombie. Traffic from the outside Coming in should have an outside source address. Otherwise,
it might be that the packets being spoofed. So we've gotta look at both ingress and egress Traffic when we look and we configure our firewalls.
Up Next

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By