5.3 Firewalls
Stateful firewall
A firewall that allows or denies traffic based on virtual circuits of sessions. A stateful firewall is also known as a circuit-level proxy or circuit-level gateway.
Stateless firewall
A firewall that allows or denies traffic by examining information in IP packet headers.
Firewall
A device, or software running on a device, that inspects network traffic and allows or blocks traffic based on a set of rules.
Application firewall
An application firewall is typically installed on a workstation and used to protect a single device. An application firewall is also known as a host-based firewall.
Firewall Management Practices
Be aware of the following when managing firewalls: > When designing firewall packet filters, a common practice is to close all ports. Open only those ports necessary for accessing the resources behind the firewall. > If a host cannot communicate on the network, or if specific types of traffic (such as ICMP or Remote Desktop Connection) don't work on a host, check the host firewall settings to make sure that the traffic type is allowed. > Firewalls typically create log entries when packets are blocked by firewall rules. You can examine these logs to help troubleshoot communication problems or identify potential attacks (such as DoS attacks).
Firewall Security Features
Most newer firewalls have flood guard protections built into their feature sets. A flood guard protects against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The main types of DoS attacks are flood attacks, SYN floods, ping floods, UDP floods, and port floods. The following table explains a few common firewall security features:
Fragmented Packets
This feature blocks the sending of fragmented IP packets.
ICMP Notification
This feature can silently block the sending of ICMP notifications. Some protocols may require these notifications.
SYN Flood Detect Rate
To help prevent SYN floods, this feature monitors the rate of SYN packets during a configuration time period. Too many SYN packets cause the firewall to determine that a SYN flood is occurring and to trigger the appropriate response.
Stateful Firewall
The stateful inspection firewall (also known as circuit-level proxy or gateway) makes decisions about which traffic to allow based on virtual circuits or sessions. The firewall is considered stateful because it keeps track of the state of a sessions. A stateful inspection firewall: > Operates up to the OSI layer 6 (the Session layer). > Keeps track of known connections and sessions in a session table (also referred to as a state table). > Allows only valid packets within approved sessions. > Verifies that packets are properly sequenced. > Ensures that the TCP three-way handshake process occurs only when appropriate. > Can filter traffic that uses dynamic ports because the firewall matches the session information (not the port numbers) for filtering. > In general, stateful inspection firewalls are slower than packet filtering firewalls. If only the session state is being used for filtering, a stateful inspection firewall can be faster after the initial session table has been created.
TCP Flood
This feature drops all invalid TCP packets. This protects your network from SYN flood attacks.
Block pin to WAN
This feature helps prevent attackers from discovering your network through ICMP Echo (ping) requests.
Stealth Mode
This feature prevents the response to port scans from the WAN. This protects against port floods.
ICMP Flood Detect Rate
This features monitors non-ping ICMP packets. Too many cause the firewall to determine that a ICMP flood is occurring and trigger the appropriate response.
5.3.2 Firewall Facts
This lesson covers the following topics: > Firewall functions > Firewall types > Firewall security features > Firewall management practices
Echo Storm Detect Rate
To help prevent ping floods, this feature monitors the rate of echo pings during a configuration time period. Too many pings cause the firewall to determine that a ping flood is occurring and to trigger the appropriate response.
As you study this section, answer the following questions:
> What is the difference between a network-based firewall and an application/host-based firewall? > When would you choose to implement a host-based firewall? > Which traffic characteristics can you specify in a filtering rule for a packet filtering firewall? > How does a packet filtering firewall differ from a circuit-level gateway? > Where should a network-based firewall be placed? In this section, you will learn to: > Configure firewall rules. > Configure firewall schedules. > Configure a perimeter firewall.
Proxy Server
A device that stands as an intermediary between a secure private network and the public an is a specific implementation of an Application level firewall. With a proxy, every packet is stopped and inspected at the firewall, which causes a break between the client and the source server. Proxies can be configured to: > Control both inbound and outbound traffic > Increase performance by caching heavily accessed content (content is retrieved from the proxy cache instead of the orginial server) > Filter content > Shield or hide a private network > Restrict access by user or specific websites > Allows inspection of encrypted packet, such as SSL inspection
Firewall Functions
A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules. > A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge or your private network that connects to the internet to protect against attacks from internet hosts. Network-based firewalls are typically dedicated hardware devices. > A host-based or application based firewall inspects traffic received by a host. Use a host-based firewall to protect against attacks when there is no network-based firewall, such as when you connect to the internet from a public location. Host-based firewalls are typically software programs. A host-based firewall can be configured to meet the security requirements of the specific host and add an additional layer of security even when a network firewall has been implemented. > Firewalls use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies traffic characteristics, such as: - The interface to which the rule applies. - The direction of traffic (inbound/outbound). - Packet information, such as the source or destination IP address or port number. - The action to take when the traffic matches the filter criteria. > Firewalls can protect against external attacks. > Firewalls don't offer protection against all attacks (for example, spoofed email messages). > A firewall can impede network availability because it adds processing to network traffic or might drop network traffic when overloaded.
Network firewall
A firewall that is used to regulate traffic in and out of an entire network.
Packet-Filtering (stateless)
A packet-filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header, such as source and destination addresses, ports, and service protocols. A packet filtering firewall: > Operates up to OSI layer 3 (the Network layer). > Uses access control lists (ACLs) or filter rules to control traffic. > Offers high performance because it only examines addressing information in the packet header. > Can be implemented using features that are included in most routers. > Is not very intelligent, so it is subject to DoS and buffer overflow attacks. > Is easy to implement and maintain, has a minimal impact on system performance, and is fairly inexpensive. > A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject each packet without considering whether the packet is part of a valid and active session.
Application Firewall
An Application layer firewall (also referred to as an Application level gateway or proxy) makes security decisions based on information contained within the data portion of a packet. An Application level gateway: > Operates up to the OSI Layer 7 (the Application Layer). > Stops each packet at the firewall and inspects it, so there is no IP forwarding. > Inspects encrypted packets, such as in SSL inspection. > Examines the entire content (not just individual packets). > Understands or interfaces with the Application layer protocol. > Can filter based on user, group. and data such as URLs within an HTTP request. > Is the slowest form of firewall because entire messages are reassembled at the Application layer.
5.3.5 Configure A Perimeter Firewall
You work as the IT security administrator for a small corporate network. You recently placed a web server in the demilitarized zone (DMZ). You need to configure the perimeter firewall on the network security appliance (pfSense) to allow access to the web server from the LAN and from the WAN. You also want to allow all traffic from the LAN network to the DMZ network. In this lab, your task is to perform the following: > Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) > Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ. > Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ. > Source - WAN > Source and destination port/service - HTTP (80), HTTPS (443) > Destination - A single host > IP address for host - 172.16.1.5 > Descriptions - For HTTP: HTTP to DMZ from WAN - For HTTPS: HTTPS to DMZ from WAN > Add a firewall rule that allows all traffic from the LAN network to the DMZ network. Use the description LAN to DMZ Any. Complete this lab as follows: 1. Sign in to the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create and configure a firewall rule to pass HTTP traffic from the internet to the Web server. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select DMZ. c. Select Add (either one). d. Make sure Action is set to Pass. e. Under Source, use the drop-down to select WAN net. f. Select Display Advanced. g. For Source Port Range, use the From drop-down to select HTTP (80). h. Under Destination, use the Destination drop-down to select Single host or alias. i. In the Destination Address field, enter 172.16.1.5. j. Using the Destination Port Range drop-down, select HTTP (80). k. Under Extra Options, in the Description field, enter HTTP to DMZ from WAN. l. Select Save. m. Select Apply Changes. 3. Create and configure a firewall rule to pass HTTPS traffic from the internet to the Web server. a. For the rule just created, select the Copy icon (two files). b. Under Source, select Display Advanced. c. Change the Source Port Range to HTTPS (443). d. Under Destination, change the Destination Port Range to HTTPS (443). e. Under Extra Options, change the Description filed to HTTPS to DMZ from WAN. f. Select Save. g. Select Apply Changes. 4. Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. a. Select Add (either one). b. Make sure Action is set to Pass. c. For Protocol, use the drop-down to select Any. d. Under Source, use the drop-down to select LAN net. e. Under Destination, use the drop-down to select DMZ net. f. Under Extra Options, change the Description filed to LAN to DMZ Any. g. Select Save. h. Select Apply Changes.