CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Firewalls

  • The Security Device

  • They do not filter all traffic

  • Firewall Types

    • Stateless – Do not inspect traffic. Packet filtering only.

    • Stateful – Inspects traffic and follows rules. SRC IP, SRC Port, DST IP, DST Port. Keeps dynamic rule until TCP connection closes.

    • UTM (Unified Threat Management) – Stateful firewall + higher OSI layer security functions. IPS, AV, URL filtering, DLP, etc.

    • Proxy – MITM. Allows the firewall to look at traffic.

    • NGFW – Application aware firewalls

  • Where to place your firewall? Multi homed device.

    • Inside zone (LAN)

    • Outside zone(WAN)

    • DMZ zone (web servers, mail servers, etc)

  • Firewall Rules

    • ACLs (Access Control Lists)

      • List of entries

      • Each entry describes traffic and an action

    • ACL Filtering Criteria

      • By IP address

      • Bogon filtering. Filters bogus IP addresses (loopback, private Ips from the internet, multicast, etc)

      • By protocol

      • By application

      • By flags, fragments, etc

    • ACL actions

      • Accept

      • Reject

      • Drop

    • Implicit Deny (deny any any)

    • Applying firewall rules

      • Traditional, ingress filtering. Filtering traffic coming in.

      • Egress filtering. Blocking traffic out.

        • Block C&C (C2) traffic

        • Block access to malware sites

        • Block IP addresses or domains based on reputation

        • Block outside access from high-security networks

    • Firewalking – Techniques for testing firewall rules, looking for unpatched holes.

      • TTL (time to live). Decrements by 1 every hop count. When it hits 0, sends a ICMP time exceeded message. This message lets an attacker know that IP address is reachable. ICMP message code 11.

PreviousPentesting and Active DefenseNextURL Analysis & DNS in Malware

Last updated 2 years ago