Firewalls

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> When we think about firewalls,
00:00
the first thing we should think about is security.
00:00
I think that's probably true for most folks.
00:00
What we want to think about
00:00
firewalls is their purpose is to isolate
00:00
the network or to divide
00:00
the network into different security zones.
00:00
We talk about security zones.
00:00
The idea should be based on trust.
00:00
For instance, our local area network,
00:00
our internal network, our LAN,
00:00
that's our most trusted network.
00:00
I can troll the systems that are in the LAN.
00:00
I create the security policy,
00:00
I provide the authentication rules,
00:00
that's my network,
00:00
so I trust my network.
00:00
Now, the ultimate and entrusted would be the Internet.
00:00
Of course, in the middle,
00:00
many organizations have what's referred to as
00:00
a DMZ, a demilitarized zone.
00:00
That DMZ is usually considered to be
00:00
semi-trusted because even though
00:00
it's under my ownership and management,
00:00
I'm going to allow the general public
00:00
to access the network.
00:00
That's my servers that I want to be
00:00
publicly available are going to go.
00:00
For instance, my webserver.
00:00
I want the public to come to
00:00
my webserver because I want their money.
00:00
Come visit my site, come spend your money.
00:00
When we talk about isolating
00:00
these networks from each other,
00:00
we're going to use firewall to do so.
00:00
That firewall is going to filter
00:00
traffic based on a ruleset.
00:00
We talk about that as rule-based access control
00:00
to determine what traffic should
00:00
be allowed between networks.
00:00
This is just a little illustration
00:00
>> of a DMZ conceptually,
00:00
>> we have the untrusted Internet goes
00:00
through an external firewall into the DMZ,
00:00
then we go through an internal firewall
00:00
to access the trusted LAN.
00:00
This is why it's sometimes
00:00
referred to as a screened subnet.
00:00
Is often because the DMZ is
00:00
between two screening devices.
00:00
Even if you don't have devices in the DMZ,
00:00
sometimes it's still set up to provide
00:00
a buffer between the Internet and the trusted LAN.
00:00
The servers that you have in your DMZ like I said,
00:00
you're likely to have the webserver there.
00:00
Because your web server is in the DMZ,
00:00
you're going to have a web application firewall there.
00:00
You always put your firewalls that are specific for
00:00
applications beside the device that they're protecting.
00:00
Web application firewall protects a web server.
00:00
Those both would go and near DMZ.
00:00
You could also have a honeyport,
00:00
which is a decoded distract attackers.
00:00
You might have an intrusion detection system
00:00
and they're to analyze for malicious activities.
00:00
You're going to have several different
00:00
devices in your DMZ.
00:00
All these devices should be hardened.
00:00
When we talk about those servers that are
00:00
Internet-facing and the fact that they're hardened,
00:00
we refer to those as bastion hosts.
00:00
We want to make sure that they're locked down.
00:00
They don't have any extra services or
00:00
devices or any extra ports open.
00:00
We want those to be hardened as much as possible.
00:00
Again, firewalls are designed to
00:00
provide filtering between zones of trust.
00:00
Firewalls can either be software or hardware-based.
00:00
That's always a strange idea
00:00
because software is no good without hardware,
00:00
and hardware is no good
00:00
>> without software but the idea is,
00:00
>> I can buy a software product
00:00
>> like pfSense and the name of
00:00
>> LAN and install it on a Linux machine
00:00
and turn that Linux machine into a firewall.
00:00
It makes it a firewall as a software,
00:00
or I can go out and I can buy
00:00
>> an ASA firewall from Cisco.
00:00
>> That box is nothing about a firewall.
00:00
Sometimes it's called a client space.
00:00
It might be called a black-box firewall,
00:00
but the idea is that the device
00:00
is nothing but a firewall.
00:00
That'll be hardware-based.
00:00
As a general rule,
00:00
you're going to get better protection,
00:00
better performance from your hardware-based solutions.
00:00
As a general rule,
00:00
your software-based solutions will be much cheaper.
00:00
Really, it depends on what
00:00
your priorities are in this instance.
00:00
Different firewalls operate the different layers
00:00
of the OSI model.
00:00
You really have three layers of firewalls.
00:00
You have a layer three firewall,
00:00
a layer five firewall,
00:00
and a layer seven.
00:00
Down at layer three, the network layer,
00:00
if you think about what happens down at layer three,
00:00
you have IP addressing.
00:00
One of the things that
00:00
>> layer three firewall can inspect for,
00:00
>> is source and destination IP address.
00:00
It can also pick just a little bit into layer
00:00
four headers and make decisions
00:00
based on source and destination port.
00:00
That sounds like that's pretty good inspection,
00:00
but it's actually very, very broad.
00:00
It's almost too broad to be really useful.
00:00
Let's say, for instance,
00:00
I'm concerned about SYN flood,
00:00
which is an exploit of the TCP protocol.
00:00
A layer 3 firewall is really just an all-or-nothing.
00:00
I don't get to block misbehaving TCP.
00:00
I can block all the TCP traffic or none.
00:00
You can really see that's really over cool.
00:00
Especially because all the network services
00:00
and applications need TCP to run.
00:00
If you were to block TCP at your firewall,
00:00
you'd have almost no traffic and all coming through.
00:00
This doesn't get really particular.
00:00
I can just block floods or just block
00:00
SYN packets that don't have an ACK or a SYN-ACK.
00:00
I can't get into details here.
00:00
Often these layer three firewalls are really just
00:00
routers with access control lists configured on them.
00:00
I can create very basic access control lists
00:00
on my router or turn them
00:00
into what we referred to as
00:00
a packet filtering
00:00
>> or a static packet filtering firewall.
00:00
>> This is usually your screening router that
00:00
is the first of entry into your network.
00:00
These devices act like a bouncer.
00:00
Their job is to keep what's
00:00
obviously riffraff off your network.
00:00
Traffic coming through port 161,
00:00
nope, we're not allowing SNMP traffic coming through.
00:00
Traffic on port 53,
00:00
nope, we don't have a DNS.
00:00
Malformed packet, get out of here.
00:00
At layer three, what you give is very basic,
00:00
very much all or nothing packet
00:00
filtering. It has its place.
00:00
You don't want every single type of traffic directed at
00:00
your network to go through deep packet inspection.
00:00
What you get down at layer three is you get
00:00
fast but very broad packet filtering.
00:00
As we go up the OSI model,
00:00
we get a little bit more understanding.
00:00
We get a little bit more knowledgeable
00:00
with the layer 5 firewall.
00:00
These are sometimes referred to as stateful filtering.
00:00
With stateful filters,
00:00
those firewalls understand the state of the connection.
00:00
By that, I mean things like who initiated the session.
00:00
For instance, maybe I don't
00:00
want traffic coming in that wasn't solicited.
00:00
If I send out a DNS query,
00:00
then I want the DNS to reply
00:00
to come through the firewall.
00:00
But if there was no DNS query,
00:00
I don't want a response.
00:00
I don't want a reply coming through.
00:00
You don't get that degree of
00:00
intelligence down at layer three,
00:00
you're just looking at source and
00:00
destination, IP and port.
00:00
But at layer five,
00:00
you can get information on who
00:00
initiated the session and allow
00:00
traffic back based on the criteria.
00:00
>> That's very helpful.
00:00
>> Also, you generally get an understanding
00:00
of the lower-layer protocols at layer five.
00:00
You can look a little bit of syntax and for
00:00
protocols that aren't behaving according to their RFC.
00:00
Sometimes you can get that understanding at layer five.
00:00
Where you really get the smarts is up at layer seven.
00:00
These are application firewalls.
00:00
They're sometimes called proxy servers.
00:00
You can hear them called application firewalls,
00:00
application proxies, but they are at layer seven.
00:00
These are the devices that give
00:00
us deep packet inspection.
00:00
They have understanding of
00:00
the actual content of the packet.
00:00
If I want to block traffic that has violent content,
00:00
since salespeople after 5:00
00:00
PM or between 8:00 and 5:00,
00:00
I have a degree of understanding and
00:00
complexity at the application layer.
00:00
I get great deal of control when I'm
00:00
using application layer proxies.
00:00
The thing about the application proxy is
00:00
each proxy is focused on particular application.
00:00
You have web proxies which are
00:00
very comparable to web application firewalls.
00:00
They do pretty much the same thing.
00:00
They focus on HTTP and HTTPS traffic.
00:00
Anytime I'm concerned about malformed HTTP headers or
00:00
code injection or cross-site scripting attacks
00:00
that specifically exploit a web server,
00:00
then a web application firewall
00:00
is going to be helpful for me.
00:00
Again, because they're up at layer seven
00:00
>> of the OSI model I
00:00
>> get a much greater understanding of
00:00
the data and all the headers,
00:00
as well as integration with Active Directory,
00:00
time content, and a deep knowledge
00:00
of specific application protocol.
00:00
When we are talking about proxies and we
00:00
said they do this deep packet inspection,
00:00
I also want to mention they have the both
00:00
forward and reverse proxies.
00:00
When we think about a forward proxy,
00:00
its job is to inspect traffic from
00:00
your internal network going out into the Internet.
00:00
From the inside out, and
00:00
that's going to make it so that way you can
00:00
track and control what users
00:00
do and view out on the Internet.
00:00
There's also the reverse proxy,
00:00
which is going to be control what users
00:00
from the Internet can do in your environment.
00:00
Again, you're going to have
00:00
a DMZ where you have your web server
00:00
configured and the whole purpose of
00:00
that web server is going to be share information.
00:00
You're going to make folks from
00:00
the Internet first send their requests through
00:00
your web proxy or your web application firewall.
00:00
That's going to be referred to as a reverse proxy.
Up Next