As we know, any system is only as strong as weakest link so it is important that we secure or harden all individual systems. This includes:
- mobile devices
Most of us these days have heard of firewalls. They are used to filter packets on some set criteria and are designed to prevent malicious packets from entering the network.
Firewalls can be software-based or hardware-based and are based on a set of rules and regulations in which you determine the traffic allowed to enter or leave your network.
The basis of a firewall is a rule base which establishes the way traffic in or out of the firewall is treated. Two fundamental clauses are:
- will it be passed?
- will it be dropped?
There are many different ways in which we can classify firewalls and we will look at more when we get to the topic on firewalls. The two we will introduce now are:
- Stateless packet filtering firewall, which is strictly based on the rules that you put in your rule base. For example, deny this traffic and permit this traffic from this host.
- Stateful packet filtering is stateless packet filtering strictly by rule regardless of whether it’s coming in or out. Stateful packet filtering also does exactly the same but it also adds in the connection state information i.e. was the connection initiated from inside to out? Or was it initiated outside to in and it keeps track of that state.
Sometimes we hear of firewalls called application layer firewalls. Traditionally, firewalls mainly operated at Level 3 or 4 of the OSI model. Application layer firewalls are those that can understand, decode and understand all the way up to Layer 7 of the OSI model.
Tip: It is important to understand that encryption will break the vast majority of firewalls, i.e. if someone tries to break into a network using an encrypted tunnel.
For example, a VPN that passes through the firewall, if it’s terminate on the firewall then obviously on one side it comes in encrypted then it’s decrypted at the firewall and the traffic can be inspected but if the encrypted tunnel passes through the firewall, then it can’t see what’s inside that encrypted tunnel.
Unified threat management (UTM)
Unified threat management (UTM) is an all-in-one solution that contain components of firewall, intrusion detection, antivirus, web content filtering and mail content filtering. UTM is truly Layer 7, and perhaps even more. We will discuss UTM more later in this topic.
At a minimum, at an enterprise level, firewalls must be application aware and cover Layers 3-7 of the OSI model. They should also possess:
- application fingerprinting – they must be able to correctly identify applications flowing through them by traffic content
- granular application control – they must identify and characterise application features in order to strictly control those applications
- quality of service (QoS) – now seen as necessary because we are seeing more and more firewalls placed between wide area network links or internal to corporate networks.
Core functions of firewalls
At the most basic level, we know that firewalls have two network interfaces: one on the external and one on the internal side of the network. The firewall controls which traffic is allowed to pass from one side to the other. They also have a number of other functions as listed below:
- Network address translation (NAT) – Static, Dynamic and Port Address Translation (PAT) are all basic core functions of a firewall. On its own, NAT is often seen as just security by obscurity but combined with numerous other security mechanisms, it is a valuable portion of any DiD strategy.
- Audit and logging – Firewalls also need to be able to audit and log, preferably to a separate and secure management system either in another DMZ or internal or separate network. Remember, depending on how much your firewall is actually looking at, auditing and logging can consume a lot of disk space.
- Malware blocking – Detection, stopping, logging.
- AV – Used as an additional layer of defense in conjunction with other technologies.
- IDS/IDP – As an addition to specific IDS/IDP devices.
- URL filtering/caching – Being at the perimeter, firewalls are perfectly placed.
- Many FWs are very good at this.
SPAM Filtering – Similar to web filtering but for mail.
Wire speed transmission – i.e. in the performance of their security services, the firewall is not going to slow things down.
Secure firewall design
Keep the following points in mind for secure firewall design:
- Irrespective of the type of firewall used, location is the most important factor of design. A poorly placed firewall = a false sense of security.
- All communication in and out of protected networks should flow through a firewall.
- Only authorised traffic is permitted to pass. Be explicit with the information you want to pass—everything else blocked.
- In most cases, it’s best to allow firewalls to fail closed, rather than fail open. Fail open means it will still allow traffic to pass even if it fails. Fail closed means all traffic will stop if it fails. If you fail open and are not on top of your auditing and logging you may not notice that your firewall has failed for hours, days or weeks.
- Your firewall must be able to recognise, resist and log attacks on its own and alert or launch a counter measure.
Remember rule-based practices are the underlying feature or component of firewalls. A couple of things to keep in mind:
- Build rules from most to least specific – Rules are generally processed top to bottom and stop once a match is found.
- Place the most active rules at the top – This saves CPU and memory.
- Drop un-routable packets without question – Such as RFC1918, internal addresses or broadcasts.
Intrusion detection systems (IDS)
Intrusion detection systems (IDS) monitor and identify a specific malicious traffic that is anomalous or different to the baseline. This means that our baseline needs to be well defined in order to identify anything that is anomalous or malicious. These anomalies may include (but is not restricted to) such things as:
- access or attempted access
- unauthorized changes
- unusual log messages or events
- file manipulation
- elevation of rights
- system changes.
Some of the types of threats that IDS protects against include:
- unauthorized activity with malicious intent
- network protocol attacks:
- flag exploits
- fragmentation and reassembly.
- application attacks
- content obfuscation
- data normalisation.
It’s also important to understand there are some types of threats that IDS cannot protect against, including:
- attacks that use encryption
- ‘misuse’ attacks, for example:
- copying documents
- posting documents to portals
- social engineering.
Types of IDS and detection models
There are a number of different classifications or categorisations that we can use when looking at IDS:
- anomaly detection IDS is a type of IDS that looks at patterns of behaviour and changes or abnormalities in that pattern with respect to the baseline of your network
- signature uses specific knowledge profiles to match against traffic patterns
- active triggers some configurable action
- passive IDS creates a log that requires you to look at it later on.
Host intrusion detection systems (HIDS)
HIDS is installed on a host device such as a server, workstation, router, printer or gateway. It is installed as a service and intercepts and scans traffic before any other process. HIDS excels at examining application layer interactions. There are two types of HIDS:
- realtime – is always looking for attacks and events, but takes up a lot of system resources
- snapshot – takes snapshots to show the differences between a known good state and a corrupt state.
Network intrusion detection systems (NIDS)
NIDS, the most popular form of IDS, protect entire networks and are designed to capture and analyse live traffic. NIDS are designed to protect more than one host (in comparison to HIDS, which are designed to protect only one host).
There is some configuration required to ensure detection and analysis is turned on. Some form of VLAN or part-based traffic mirroring or network tap is required for a NIDS to work correctly.
Intrusion prevention systems (IPS)
Along with detection and reporting, IPS can stop attacks in real time. However, it is important to realise IPS can sometimes overact and false positives can sometimes lead to traffic starvation.