Network Security: Firewall

PUBLISHED BY
Condition Zebra (M) Sdn. Bhd.
No Part of the content of this training material may be reproduced or transmitted in any
form or by means without the written permission of the publishers.

Disclaimer
All information contained in this book is furnished for educational purposes only.
Condition Zebra makes no representations or warranties of any kind, express or implied,
about the completeness, accuracy, reliability, suitability or availability with respect to the
book or the information, software, or related graphics contained on the book for any
purpose whatsoever, and will not be held liable for any direct, indirect, incidental or
consequential damages arising out of the use of the information held on this book.
Information provided is considered to be true and correct at the time of printing.

1
Network Security: Firewall

Table of Contents

Firewalls ..................................................................................................................................... 3
Packet-Filtering Firewalls .................................................................................................................... 3
Circuit-Level Firewalls ......................................................................................................................... 4
Application-Level Firewalls ................................................................................................................. 4
DeMilitarized Zone .............................................................................................................................. 5
Honey Pot............................................................................................................................................ 7
Honey Pot Types ............................................................................................................................. 8
Best Practices for Firewall Deployments ............................................................................................ 9
Setting up pfSense to configure a router and firewall ....................................................................... 11
Configuring pfSense ...................................................................................................................... 20
Checking connectivity from pfSense to public users ..................................................................... 27
Configuring private network .......................................................................................................... 27
Getting Internet in internal network ............................................................................................. 30
Setting up Windows server............................................................................................................ 32
Configuring pfSense to forward http traffic to internal network................................................... 33

2
Network Security: Firewall

Firewalls

A firewall can either be software-based or hardware-based and is used to help keep a

network secure. Its primary objective is to control the incoming and outgoing network
traffic by analyzing the data packets and determining whether it should be allowed through
or not, based on a predetermined rule set. A network's firewall builds a bridge between an
internal network that is assumed to be secure and trusted, and another network, usually an
external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Packet-Filtering Firewalls

In its most basic form, a firewall does nothing but filter packets. This means that the firewall
accepts or rejects IP packets on the basis of predefined rules. With packet filtering, the
firewall carefully scrutinizes each packet's protocol and address information; content and
context data are not considered. The main advantages of packet-filtering firewalls are their
relative simplicity, low cost, and fast and easy deployment attributes. Software-only
firewalls for home and small business are typically of this variety, including the firewall that
is built in to more recent versions of Windows.

3
Network Security: Firewall

Circuit-Level Firewalls

This type of firewall doesn't simply accept or reject packets, it also decides whether a
connection is valid according to a set of configurable rules. If everything checks out, the
firewall opens a session and allows traffic to flow in only from the authenticated source. The
traffic may also be permitted to proceed for only a limited period of time. In addition, the
firewall may perform connection validation on the source.

IP address and/or port, the destination IP address and/or port, the protocol used, user IDs,
passwords, the time of day or, most likely, several of these conditions. In addition, packet-
level filtering may also take place.

The big drawback to circuit-level firewalls is that they function at the transport layer and
therefore may necessitate a significant modification of the transport-function programming.
This can impact the performance or operation of a network. Also, circuit-level firewalls
require more expertise to install and maintain.

Application-Level Firewalls

With this approach, the firewall acts as an application proxy, supplying all data exchanges
with the remote system. The idea behind this concept is to make the server behind the
firewall invisible to the remote system.

An application-level firewall can accept or reject traffic based on a specific set of rules. The
firewall may, for example, allow some commands to proceed to a server while rejecting
others. The technology can also be used to restrict access to specified file types, as well as
to provide different access levels to authenticated and unauthenticated users.

4
Network Security: Firewall

Application-level firewalls tend to be preferred by users who require detailed traffic

monitoring and logging on the host, since the addition of these activities is relatively simple
and doesn't further impact performance. IT administrators can set an application-level
firewall to trigger alarms and notifications in the event that a predefined condition occurs.
Application gateways are typically deployed on a separate network-connected computer,
commonly called a proxy server.

Stateful Multilevel Firewalls

Typically offered by vendors as "best-of-breed" solutions, this approach aims to combine
the best attributes of multiple firewall types. Stateful multilevel firewalls are designed to
perform network-level packet filtering while recognizing and processing application-level
data. These firewalls often provide superior network protection but can be very expensive.

DeMilitarized Zone

DMZ stands for DeMilitarized Zone. A DMZ is your frontline when protecting valuables from
direct exposure to an untrusted environment.

DMZ is “A network added between a protected network and an external network in order to
provide an additional layer of security.” A DMZ is sometimes called a “Perimeter network”
or a “Three-homed perimeter network.”

A DMZ is a glowing example of the Defense-in-Depth principle. The Defense-in-Depth

principle states that no one thing, no two things, will ever provide total security. It states
that the only way for a system to be reasonably secured is to consider every aspect of the
systems existence and secure them all. A DMZ is a step towards defense in depth because it
adds an extra layer of security beyond that of a single perimeter.

5
Network Security: Firewall

A DMZ separates an external network from directly referencing an internal network. It does
this by isolating the machine that is being directly accessed from all other machines. Most of
the time the external network is the Internet and what is in the DMZ is the web server but
this isn’t the only possible configuration. A DMZ can be used to isolate a particular machine
within a network from other machines. This might be done for a branch office that needs its
own Internet access but also needs access to the corporate network.

Bastion Host

Bastion Host is a computer system designed and configured to protect network resources
from attack. Traffic entering or leaving the network passes through the firewall. It has two
interfaces : Public interface which is directly connected to the internet and Private interface
that is connected to the intranet.

6
Network Security: Firewall

Firewalking
It is technique for testing the vulnerability of a firewall and mapping the routers of a
network that are behind a firewall. Firewalking is similar to trace routing and works by
sending TCP or UDP packets into the firewall that have a TTL set at one hop greater than the
targeted firewall.

If the packet makes it through the gateway, it is forwarded to the next hop where the TTL
equals Zero and elicits a TTL “exceeded in transit” message, at which point the packet is
discarded

Using this method, access information on the firewall can be determined if successive probe
packets are sent.

Honey Pot

Honey Pot Systems are decoy servers or systems setup to gather information regarding an
attacker or intruder into your system. It is important to remember that Honey Pots do not
replace other traditional Internet security systems; they are an additional level or system.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of
the locations although they are most often deployed inside of a firewall for control purposes.
In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a
focus on information gathering and deception.

A Honey Pot system is setup to be easier prey for intruders than true production systems
but with minor system modifications so that their activity can be logged of traced. The
general thought is that once an intruder breaks into a system, they will come back for
subsequent visits. During these subsequent visits, additional information can be gathered

7
Network Security: Firewall

and additional attempts at file, security and system access on the Honey can be monitored
and saved.

Honey Pot Types

Low – Interaction Honey Pot

 They work by emulating services and programs that would be found on an

individuals system
 If the attacker does something that the emulation does not expect, the honeypot will
simply generate an error
 Captures limited amounts of information, mainly transactional data and some
limited interaction
 Ex : Specter, Honeyd, and KFSensor

8
Network Security: Firewall

High – Interaction Honey Pot

 Entire system or network of computers, to have a controlled area in which the

attackers can interact with real applications and programs

 Rely on the border devices to control traffic so that attackers can get in, but
outbound activity is tightly controlled.
 Captures far more information, including new tools, communications, or attacker
keystrokes
 Ex : Symantec Decoy Server and Honeynets

Best Practices for Firewall Deployments

1. There are different types of firewalls, and each has its place in the enterprise. Packet
filters are easier to deploy and less expensive, but application layer gateways provide
more robust protection for critical systems.
2. Firewalls cannot protect against application mis-configuration.
3. One firewall is rarely sufficient protection. Firewalls should be deployed to create
"zones" of authorized types of traffic, separating applications into groups of related
security requirements.
4. Firewalls may be useful for protecting internal systems, such as those in the data
center, from internal misuse, in addition to their traditional role of protecting public
servers from the dangers of being accessible from the Internet.
5. While deploying multiple firewalls generally increases security levels, firewalls should
not be over-deployed. As with other systems and devices, they have a point of
diminishing returns where over-zealous deployments eventually fail to provide any
return on investment.
6. Firewalls should be coupled with other technologies, such as intrusion detection
system (IDS) products.

9
Network Security: Firewall

7. Security is only as good as the latest security patch, so system maintenance should
be regular and timely.
8. Firewalls should be monitored on a regular basis, but should not be treated as an
IDS.
9. When examining logs, failures are as important as successful connections, and
outbound connections should be examined as well as inbound.
10. If alerts will be sent to administrators, they should be classified to control false
positives.
11. Firewalls are not install-and-forget devices. As application requirements change,
firewalls should be updated to match those changes.
12. As with other systems, unused services should be disabled.

10
Network Security: Firewall

Lab Exercise: Setting up pfSense to configure a router and firewall

In this section, we will discuss how to setup a software-based router/firewall called pfSense.
If you have an organization and running with low budget, pfSense is a very good solution.
This can act as an edge router and it can act as a firewall appliance if you wish to use it so.
Topics to be covered:

 Installing pfSense
 Enabling various services
 Configuring pfSesne firewall
 Setting up a lab

Following is the network we are going to setup in this section.

We will be using Mac as host machine (192.168.1.103) and connected to a wireless router
(192.168.1.1).

11
Network Security: Firewall

Required Software:

 Virtual box
 Kali Linux
 Windows Server 2003/2008/2012
 pfSense
 Windows 7

Virtual Box:
Install virtual box in your host machine. Virtual box can be downloaded from the link below.
Download Link: https://www.virtualbox.org/wiki/Downloads

Kali Linux:
Install Kali Linux in virtual box. Kali Linux can be downloaded from the link below.
Download Link: https://www.kali.org/downloads/

Windows Server 2003/2008/2012:

As mentioned in the beginning of this section, we need to get a licensed version of windows
server from Microsoft.
Link: http://www.microsoft.com/en-us/download/details.aspx?id=41
The main focus of this lab is to show how we can set up the environment using pfSense. So
we won’t be covering how to configure windows server.

pfSense:
pfSense firewall can be downloaded from the link below.
Download Link: https://www.pfsense.org/download/

Introduction:
Note: If you want to setup a true DMZ environment in this lab, you need to setup back-to-
back firewalls. So web Server is kept in the private network.

12
Network Security: Firewall

Firewall – pfSense

External Pentest – Web Server behind the firewall. Firewalls cannot be used to stop web
attacks. Port 80/443 is opened for obvious reasons. Private network.
Other ports won’t be shown.

Installing pfSense in Virtual box:

Launch virtual box and click “New” to create a new virtual instance.

pfSense is based on BSD. So, when creating the new virtual machine, select type as “BSD”
and version as “FreeBSD (64 bit)”. This is shown in the following figure.
Allocate 512 MB RAM for pfSense.

13
Network Security: Firewall

You can specify 6 GB hard disk space for pfSense. Then Choose “Hard drive file type” as
“VDI”. Check “Dynamically Allocated” for storage on physical hard drive. All the above
mentioned settings are as shown below in the following screenshot.

Finally, click “Create”.

Now, we should have a new virtual machine instance. Select the VM instance and click
“Start”.

14
Network Security: Firewall

It will ask for the source image. Choose the live CD you downloaded in the beginning.
Once after choosing the Live CD, click “Start” as shown in the figure below.

15
Network Security: Firewall

We should now see the following screen.

When the above screen pops up, hit enter.

It will automatically take you to the next screen as shown below.

Now, we are greeted with various options.

16
Network Security: Firewall

If you want to install the pfSense instance rather than booting it as live CD, we can simply
type “I” and hit enter before the timeout.
So, it will invoke the pfSense installer as shown below.

17
Network Security: Firewall

Choose “Accept these Settings” and hit enter.

Then choose “Quick/Easy Install” and hit enter.

18
Network Security: Firewall

After reading the above warning, if you are OK with the installation, choose “OK” and press
enter.

Installation will take time to process as shown in the figure above.

19
Network Security: Firewall

When you see the above screen, just choose “Standard kernel” and hit enter.

Once you are done with the installation, you should see the above screen. Choose “Reboot”
and hit enter.
Congratulations! You just completed pfSense installation.

Configuring pfSense

Once after completing the installation process, we can proceed with pfSense configuration.
The steps to configuring pfSense are shown in the next section. Before that, let us make
changes to virtual box network settings for pfSense instance.
By default, Adapter 1 is attached to NAT in Virtual box. Change “Adapter 1” from “NAT” to
“Bridged Adapter”. This is the public facing interface for pfSense.
This should look as shown in the following figure.

20
Network Security: Firewall

Now, we need to setup another interface for pfSense. This is going to be the interface for
the private network protected by the firewall.
So choose “Adapter 2” and select “Internal Network”. This should look as shown in the
figure below.

21
Network Security: Firewall

Now, we are done with the virtual box settings and we now need to configure pfSense. So,
let us launch pfSense.

22
Network Security: Firewall

Leave it for Autoboot and you should see the following screen in a moment.

When it prompts for VLAN setup, just type “n” and hit enter.

Then, we will be asked to enter interface names for both adapters we set.
For the WAN interface, specify “le0” and for the LAN interface specify “le1” as shown in the
above figure.
We can clearly observe in the note in the above figure that the internal network will be
behind the NAT.
After filling the required details, hit enter.
We should see the following screen asking for the user confirmation to proceed. Just type “Y”
and hit enter.

The above step creates an IP address for the WAN interface automatically. This is shown in
the figure below.

23
Network Security: Firewall

As we can see in the above figure, pfSense is assigned with 192.168.1.106 on the interface
le0.
This interface is publicly accessible in our lab. So, we can access this IP address from any
computer connected to the same Wi-Fi network. You may look at the network diagram we
have shown in the beginning to better understand this.

Now, we need to configure the other interface, which is private and not directly accessible
to the public users.
To do this, we are going to setup an IP address for the interface le1.

24
Network Security: Firewall

In the above screen, just enter 2 in order to select “Assign Interfaces”. Then, we should see
the available interfaces. Since we are going to configure the second interface, we will
choose “2” again. This should allow us to configure the private interface, which is le1 (LAN).
We will then be prompted for the LAN IP address.
In this case, we are providing it 10.0.0.1.
All these steps explained so far are shown in the above screenshot.
Now, let us hit enter. We will be prompted for the subnet mask bit count.
Enter 24 as shown below.

Hit enter 3 times to get the screen to configure DHCP service for private LAN.

As we can see in the above figure, we need to enable DHCP server on LAN interface by
typing “Y”.
Then, we need to enter the range of IP addresses. Since we are going to setup a network
with only 3 systems connected to it, it will be range from 10.0.0.5 to 10.0.0.10
Once done, hit enter and type “Y” again to have webconfigurator for pfSense configuration
from a GUI and then hit enter.

25
Network Security: Firewall

We should see the above screen with the URL where we can access the Graphical User
Interface for pfSense configuration.
Finally, hit enter to go back to the command line configuration interface, which appears
upon starting pfSense.

If we now observe, we should see everything set for both the interfaces.

26
Network Security: Firewall

Checking connectivity from pfSense to public users

Now, let us see if we are able to ping the host machine.

Select “Ping host” by typing 7 in the command line as shown below.

Then enter the IP address of the host machine. We should see getting responses.

Configuring private network

Setting up Kali Linux:

So far, we have installed and configured pfSense. Now, we are going to set up the hosts in
the private network. The first host is Kali Linux. This is going to be the attacker’s machine if
you want to have an internal pentesting environment.
Select kali Linux in virtual box and then network settings. “Adapter 1” is going to be
“Internal Network” as shown in the following screen.

27
Network Security: Firewall

Now, boot Kali Linux.

Once it is up and running, launch a terminal and type “ifconfig” to see the IP address.

As expected, we have got 10.0.0.5 as our IP address. DHCP server at LAN interface on
pfSense assigns this.
Now, we should be able to configure pfSense from this host using the URL http://10.0.0.1/

28
Network Security: Firewall

Let us open up a browser and type in http://10.0.0.1/ in the URL. We should see pfSense’s
login screen as shown below.

The default username is “admin” and password is “pfsense”. Consider changing your
password once after logging in for the first time.

29
Network Security: Firewall

We should see the dashboard as shown in the above figure. We can play around with
various settings available in pfsense. We will see some of them in the next section.

Getting Internet in internal network

By default, we won’t get the Internet in our private network. Just to test, we can try pinging
google.com as shown in the figure below.

As expected, it says “unknown host”.

Now, login to the pfSense web interface and navigate to Services -> DHCP Server.
Find out the section ‘DNS Servers” and type the following address as shown in the figure
below.
8.8.8.8

30
Network Security: Firewall

Make sure that you save the changes in the configuration.

Now, type “dhclient” in the terminal and try pinging google.com as shown in the figure
below.

As we can see, we are getting responses from google.com.

Let us also check the address of the default gateway for this host by typing the command
“netstat –nr” as shown below.

As we expected, this is 10.0.0.1, which is the IP address we assigned to le1 interface on

pfSense.

31
Network Security: Firewall

Setting up Windows server

Finally, install windows server 2003. The main focus of this lab is to show how we can set up
the environment using pfSense, therefore we won’t be covering how to configure Windows
server and domains here.
Again, the network settings will remain same for this host.

Start this virtual machine instance and check the IP address as shown below.

32
Network Security: Firewall

We are running IIS webserver on this machine. But, unfortunately we can’t access this
server from outside this network.
This is where we can port forward and allow users to access this webserver through the
firewall.

Configuring pfSense to forward http traffic to internal network

Log in to pfSense web interface using the browser. Navigate to

Port Forwarding –> NAT rule and make sure that you nave the same settings as I have here
in the following screenshot.

33
Network Security: Firewall

The next step is to unblock connections to private network from public users. To do this,
navigate to the following path.
Interfaces -> WAN -> Block Private networks.
Make sure that it is unchecked as shown below.

Save the changes.

Now, we should be able to access the internal web server just by typing the public interface
IP address of pfSense as shown below.

34
Network Security: Firewall

35