Firewalls

The Security Device

They do not filter all traffic

Firewall Types

• Stateless – Do not inspect traffic. Packet filtering only.

• Stateful – Inspects traffic and follows rules. SRC IP, SRC Port, DST IP, DST Port. Keeps dynamic rule until TCP connection closes.

• UTM (Unified Threat Management) – Stateful firewall + higher OSI layer security functions. IPS, AV, URL filtering, DLP, etc.

• Proxy – MITM. Allows the firewall to look at traffic.

• NGFW – Application aware firewalls

Where to place your firewall? Multi homed device.

• Inside zone (LAN)

• Outside zone(WAN)

• DMZ zone (web servers, mail servers, etc)

Firewall Rules

• ACLs (Access Control Lists)

  • List of entries

  • Each entry describes traffic and an action

• ACL Filtering Criteria

  • By IP address

  • Bogon filtering. Filters bogus IP addresses (loopback, private Ips from the internet, multicast, etc)

  • By protocol

  • By application

  • By flags, fragments, etc

• ACL actions

  • Accept

  • Reject

  • Drop

• Implicit Deny (deny any any)

• Applying firewall rules

  • Traditional, ingress filtering. Filtering traffic coming in.

  • Egress filtering. Blocking traffic out.

    • Block C&C (C2) traffic

    • Block access to malware sites

    • Block IP addresses or domains based on reputation

    • Block outside access from high-security networks

• Firewalking – Techniques for testing firewall rules, looking for unpatched holes.

  • TTL (time to live). Decrements by 1 every hop count. When it hits 0, sends a ICMP time exceeded message. This message lets an attacker know that IP address is reachable. ICMP message code 11.