CYBEREXPERT About



Cyber Security Firewalls

❮ Previous Next ❯



Firewalls

Firewalls are a central architectural element to any network. They are designed to keep out all network traffic, except traffic which we allow. Firewalls operate on Layer 4, typically controlling TCP and UDP access to internal assets. Next-Generation Firewalls operate on all the layers of the OSI model, including Layer 7.

Traffic entering a network, e.g. through a Firewall, is called ingress traffic. Traffic leaving is called egress.


Layer 4 Firewall

The traditional Firewall is a Layer 4 Firewall with features such as:

Note: These Firewalls are typically cheaper and offers more throughput on the network than a more modern Next-Generation Firewall.

NGFW ("Next-Generation Firewalls")

A modern Firewall has capabilities that range much wider than a a Layer 4 Firewall. These capabilities are typically security features.

A NGFW Firewall can also track active network connections, but is also typically capable of tracking:

Other features of a NGFW includes:

Firewall

Note: Which features your NGFW comes with often greatly depends on which licenses have been purchased and the capacity of the hardware running the Firewall.

Firewall Administration

A Firewall can typically be administered via a proprietary management application, or via a web-browser accessing the Firewalls management via HTTP.

Management ports to Firewalls, including other management services of an organization, should ideally be segmented away from regular user access. Ideally the segmentation of management services is connected to an organizations user directory, for example Active Directory for Windows environments.


Segmentation

Firewalls can segment traffic between hosts and systems into segments, sometimes called zones. Each segment holds services which are allowed to communicate between one another.

Firewall Segmentation

Any connection to or from the segment should be carefully controlled by the Firewall, preventing any unauthorized connections to make successful connections. Smaller segments offer more segregation, but requires more management.

Without any segmentation, users and systems can talk directly to each other without the Firewalls enforcement. This is called a flat network.

Firewall No Segmentation

Adding more segmentation we can envision segments representing services, where each segment is a service provided in the organization. Each segment could contain the different servers responsible for making the service operational. Communications within the segment is allowed, but any access in and out from the segment is controlled by the Firewall.

Another segmentation idea would be to control segments based on their functions, for example clustering web applications within a segment with other web-applications, databases within one segment and other kinds of services within their segment. 

Note: A very common user directory is Microsoft's Windows Active Directory. It holds information about which users, computers and groupings the organization holds. 

Firewall More Segmentation

The best and most secure kind of segmentation is called zero-trust architecture, forcing all systems on the network to explicitly be allowed to communicate to different services.

To ease management of Firewall rules, the Firewall management is ideally connected to the organizations user directory. This can allow Firewall administrators to create careful rules based on employee responsibilities, allowing the organization to add and remove permissions which are applied on the network without asking the Firewall administrators for changes anytime there is a role change. This is sometimes called user-based policy control. Examples include:

Note: A very common user directory is Microsoft's Windows Active Directory. It holds information about which users, computers and groupings the organization holds.

IPS ("Intrusion Prevention System") and IDS ("Intrusion Detection System")

Sometimes IPS and IDS systems are deployed as stand-alone systems on the network, but very often they are included in a NGFW.

IPS and IDS systems have signatures, algorithms and heuristics to detect attacks on the network or host. An IDS or IPS deployed on a host is called a HIDS ("Host Intrusion Detection System").

IPS

In this course the term IDS and IPS is used interchangeably as the difference between them is often just a matter of configuration of how they operate. An IPS system is positioned in such a way it can detect and block threats, while an IDS system is only capable of detecting threats.

IPS systems can be used to detect and block attackers and often rely on frequent updates and inspection in encrypted traffic.

Note: A very useful feature of IDS and IPS is the frequent updates of new signatures of developing threats from the vendors. This allows defenders some reassurance that new threats will be blocked as the firewall is updated with new updates.

Content and Application Filtering

The Firewall can make attempts in understanding which applications and content is traversing the network. Such detection can further activate other security features like IPS to protect the systems between the Firewall.

URL Filtering

NGFW can also protect content accessed via HTTP. The Firewall can look up domains in a database containing lists of domains and respective categorization. Firewall can then enforce only acceptable categories of domains are allowed by users, for example news is allowed while gambling is not.

URL Filtering

Elements such as domain age and validity could also be checked, preventing users from visiting domains which has recently been created and not yet categorized, or checking for fraudulent activities by analyzing the content of the domain.

Instead of rejecting access to websites, the Firewall could intercept the request and send the user to what is called a captive web portal. On this portal the user could be warned about immediate danger or the violation of company policy in e.g. visiting unacceptable content. In some cases you could allow the user to provide a reason why they need to access the content, then let them continue if they have provided a reason.

Categories within domains can be many, for example websites hosting content related to:

URL filtering categories


Applications

The Firewall can try to determine which applications are in use, not just the protocols. Many protocols are capable of carrying other applications, for example HTTP can hold thousands of different applications. A Firewall can try to decode the network streams on Layer 4 and try to determine the content which is presented on Layer 7.

Content

A screenshot shows what a user could see when an application has been blocked.

Application Control


Content Control

As Applications are being identified, the Firewall could try to reveal specific content within the applications, for example content being downloaded:

Content Control

In such files, the Firewall can try to identify malware, proprietary and confidential information not supposed to leave the network and much more.

The Firewall could support many different protocols and the content running through them, for example:


Sandboxing

In this context, sandboxing means to have a platform execute files, which are may be malicious. The sandbox records and monitors the activity of the file to see if it is malicious or not.

Sandboxing

Sandboxing typically allows the Firewall to forward executable files to this platform and prevent users from downloading the file until a verdict has been made whether it is malicious or not.

A modern sandbox has capabilities to run files in multiple different platforms, for example:

Files which are interesting to execute and explore in a sandbox is more than just an executable file. Many files are capable of performing malicious actions on the operating system of our users:

There are many sandboxes online you can try yourself, outside of what a NGFW can provide:

There are also sandboxes you can install yourself, for example:


Decrypting Traffic

Many Firewalls support installing certificates which allows for decryption of traffic. If content is decrypted, content can then be inspected for threats.

Decryption can take place on Egress or Ingress traffic, or both. For Ingress traffic the Firewall could protect servers against incoming traffic. Egress traffic allows the Firewall to protect users and systems needing to communicate outbound.

Firewall Decrypt

The Firewall will often avoid decrypting traffic such as health care and financial data as this may have privacy and other implications. Decryption of traffic requires more effort from the organization to distribute keys to clients which is used by the firewall to decrypt traffic.

Note: Remember Egress and Ingress traffic? Egress means traffic leaving the network, while Ingress means traffic arriving to the network.

Unknown Traffic

Some traffic can not be decrypted or understood fully by the Firewall. Many reasons can apply, for example a proprietary application sends data which the Firewall does not know of. Such traffic can also be categorized as Unknown. A Firewall administrator should consider blocking such applications, especially from networks which are considered high-risk.

Firewall Unknown Traffic


WAF ("Web Application Firewall")

While Firewalls can do a decent job, they often lack full understanding of what a protocol is capable off. Because of such, protocol specific firewalls are also developed where WAF is one of the more common ones.

A WAF allows more features specific to the HTTP protocol than a regular Firewall, making it more capable of stopping threats.

While a WAF tries to do a good job in blocking threats on HTTP, it often provides other very useful utilities for organizations making them very viable for much more than just blocking threats. Here are some examples: 

Note: WAF's are a much more specialized firewall to counter threats on the HTTP protocol. It also typically holds functionality which is very convenient for administrators.

❮ Previous Next ❯