TDC 311 -Firewalls

Laura McFall
DePaul University
School of Computing and Digital Media
 What is a Firewall?
 A network security device that grants or rejects
network access to traffic flows between an untrusted
zone (e.g., the Internet) and a trusted zone (e.g., a
private or corporate network)
 Acts as the demarcation point or “traffic cop” in the
network; all communication should flow through it
and it is where traffic is granted or rejected access
 Firewalls enforce access controls through a positive
control model, which states that only traffic defined
in the firewall policy is allowed onto the network
 All other traffic is denied (known as “default deny”)
 Access Control Lists
 Early on, the firewall function was initially performed by
Access Control Lists (ACLs), often on routers
 ACLs are essentially rules written out that determine
whether network access should be granted or rejected to
specific IP addresses
 So, an ACL can have a line that states all traffic from IP
172.168.2.2 must be rejected, or to allow all traffic on port
80 from 172.168.2.2 to a web server at 10.10.10.201
 ACLs are advantageous due to scalability and high-
performance, but can’t read beyond packet headers, which
provide only rudimentary information about the traffic
 Thus, ACL packet filtering alone does not have the capacity
to keep threats out of the network
 What is a Firewall?
 A firewall can be many things:
 A router that runs traffic filtering rules or a modified
version of the routing software
 A server with 2+ NICS running some traffic filtering or
application proxy or specialized software. Often
Unix/Linux servers
 A firewall appliance - specialized hardware device
running a specialized software
 A host-based firewall or personal/desktop firewall.
A software application used to protect a single Internet-
connected computer from intruders. Especially useful
for users with "always-on". This is the last firewall piece
in an in-depth defense strategy: load firewall software
on all hosts
 What is a Firewall?
 A firewall is a device that makes the decision on
what to do with a packet of information sent across
the Internet. The actions a firewall can take:
 Forward/accept the packet
 Drop the packet silently
 Drop the packet and send ICMP back to source to
notify why it was dropped. (Is this wise?)
 How is it performed?
 Packets are evaluated against a list of “rules” and
conditions
 When the packet matches a rule, the action is triggered
(reject or allow). The rest of the rules are not
evaluated
 What are proxy firewalls?
 Proxy firewalls are the most secure types of firewalls, but
this comes at the expense of speed and functionality, as
they can limit which applications your network can support
 The enhanced security of a proxy firewall is because,
unlike with other types of firewall, information packets
don’t pass through a proxy. Instead the proxy acts as an
intermediary - computers make a connection to the proxy
which then initiates a new network connection based on
the request; effectively a mirror of the information transfer
 This prevents direct connections and packet transfer
between either sides of the firewall, which makes it harder
for intruders to discover where the location of the network
is from packet information 
 What are proxy firewalls?
 So firewall proxies provide Internet access to computers on
a network but are mostly deployed to provide safety or
security by controlling the information going in and out of
the network. Firewall proxy servers filter, cache, log, and
control requests coming from a client to keep the network
secure and free of intruders and viruses 
 In essence, proxies are gateway applications used to route
Internet and web access from within a firewall
 Proxy servers work by opening a socket on the server and
allowing the connection to pass through. There is often
only one computer in a proxy firewall network with a direct
Internet connection – other computers have access to the
Internet using that computer as gateway
 What are proxy firewalls?
 A proxy gateway receives a request from a client inside the
firewall, and then sends this request to the remote server
outside of the firewall
 The response from the server is then read and sent back
to the client
 Usually, the same proxy is used by all client computers
within a network – this enables the proxy to efficiently
cache documents that are requested by multiple clients
 What are proxy firewalls?
 Proxy firewalls act as middlemen, accepting all traffic
requests coming into the network by impersonating the
true recipient of the traffic within the network
 After an inspection, if it decides to grant access, the proxy
firewall sends the information to destination computer
 The destination computer’s reply is sent to the proxy,
which repackages the information with the source address
of the proxy server
 Through this process, the proxy firewall breaks
(terminates) the connection between two computers so
that it is the only machine on the network that talks to the
outside world
 What are proxy firewalls?
 Proxy firewalls can inspect content fully and make access
decisions based on more specific levels of information
 Access control this nuanced is attractive to network
administrators, however each application needs its own
proxy at the application-level
 Proxy-firewalled networks also suffer degraded traffic
performance and many limitations in application support
and general functionality
 This ultimately leads to scalability issues that make a
successful implementation tricky to pull off
 For this reason, proxy firewalls have not been widely
adopted. In fact, even at the peak of the proxy firewall's
popularity, performance and scalability issues limited
adoption to select verticals in niche deployments
 What are proxy firewalls?
 Considered to be the most secure type of firewall because
they prevent direct network contact with other systems.
(Because a proxy firewall has its own IP address, an outside
network connection will never receive packets from the
sending network directly)
 Having the ability to examine the entire network packet,
rather than just the network address and port number, also
means that a proxy firewall will have extensive logging
capabilities, a valuable resource for security administrators
who are dealing with security incidents
 Per Marcus Ranum, (credited with conceiving the proxy
firewall, the goal is to create a single point that allows a
security-conscious programmer to assess threat levels
represented by application protocols and put error detection,
attack detection and validity checking in place
 What are proxy firewalls?
 The added security offered by a proxy firewall has its
drawbacks, however
 Because a proxy firewall establishes an additional connection
for each outgoing and incoming packet, the firewall can
become a bottleneck, causing a degradation of performance
or becoming a single point of failure
 Additionally, proxy firewalls may only support certain popular
network protocols, thereby limiting which applications the
network can support
 Stateful Inspection Firewalls
 Stateful inspection, or stateful filtering, is regarded
as the third generation of firewalls
 Stateful filtering does two things: first, it classifies
traffic by looking at the destination port (e.g.,
tcp/80 = HTTP)
 Second, it tracks the state of the traffic by
monitoring every interaction of each particular
connection until that connection is closed
 Stateful Inspection Firewalls
 These properties add more functionality to access
control: stateful inspection firewalls have the ability to
grant or reject access based not only on port and
protocol, but also the packet’s history in the state table
 When stateful firewalls receive a packet, they check the
state table to find if a connection has already been
established or if a request for the incoming packet has
been made by an internal host
 If neither is found, the packet’s access becomes subject
to the ruling of the firewall security policy
 Stateful Inspection Firewalls
 Though stateful filtering is scalable and transparent to
users, the extra layer of protection adds complexity to
network security infrastructure, and stateful firewalls face
difficulty in handling dynamic applications such as SIP or
H.323
 SIP - Session Initiation Protocol; a communications
protocol for signaling and controlling multimedia
communication sessions. Most common applications
of SIP are in Internet telephony for voice and video calls,
as well as instant messaging, over Internet Protocol (IP)
networks
 H.323: standard approved by the ITU - International
Telecommunication Union to promote compatibility in
videoconference transmissions over IP networks
 SIP
 SIP was designed to setup a "session" between two points
and to be a modular, flexible component of the Internet
architecture
 It has a loose concept of a call (that being a "session"
with media streams), has no support for multimedia
conferencing, and the integration of sometimes disparate
standards is largely left up to each vendor
 As a result, SIP is a protocol with a vast number of
interoperability problems
 While SIP has been successfully deployed in some
environments, those are generally "closed" environments
where the means of interoperability has been PSTN
(Publically Switched Telephone Network) gateways
 H.323
 Designed with a good understanding of the
requirements for multimedia communication over IP
networks, including audio, video, and data
conferencing. Defines an entire, unified system for
performing these functions, leveraging the strengths of
the IETF and ITU-T protocols
 H.323 was designed to scale to add new functionality.
The most widely deployed use of H.323 is "Voice over
IP" followed by "Videoconferencing", both of which are
described in the H.323 specifications
Unified Threat Management (UTM) solutions
 Initially defined as the consolidation of stateful inspection
firewalls, antivirus, and IPS into a single appliance; over
time, UTM definition has expanded to include many other
network security functions
 Success of UTMs relies on effectiveness of stateful
inspection-based firewall decision that precedes all of its
component functions, because UTM components, while in a
single device, are effectively downstream security services
 Thus, the workload of all security components behind the
firewall (inside the network) will be determined by the
strength of its access control
 Though UTMs provide a number of security functions in one
product, the fundamental access control technology of the
firewall remains unchanged
 Next-generation Firewalls
 NGFWs created in response to evolving sophistication of
applications and malware. Application and malware
developers have largely outwitted the long-standing port-
based classification of traffic by building port evasion
techniques into their programs
 Malware piggybacks these applications to enter networks
and became increasingly networked themselves (connected
to each other on the computers they individually infected)
 NGFWs act as a platform for network security policy
enforcement and network traffic inspection
 Next-generation Firewalls
 Per technology research firm Gartner Inc. NGFWs are defined by the
following attributes:
 Standard capabilities of the first-generation firewall: This includes
packet filtering, stateful protocol inspection, network-address translation
(NAT), VPN connectivity, etc. (Note: A virtual private network (VPN)
extends a private network across a public network (Internet). Enables
users to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network,
thus benefiting from the functionality, security and management policies
of the private network
 Truly integrated intrusion prevention: Includes support for both
vulnerability-facing and threat-facing signatures, and suggesting rules (or
taking action) based on IPS activity. The sum of these two functions
collaborating via the NGFW is greater than the individual parts
 Full stack visibility and application identification: ability to enforce
policy at the application layer independently from port and protocol
 Next-generation Firewalls
 Extra firewall intelligence: Ability to take information
from external sources and make improved decisions.
Examples include creating blacklists or whitelists and being
able to map traffic to users and groups using active directory
 Adaptability to the modern threat landscape: Support
upgrade paths for integration of new information feeds and
new techniques to address future threats
 In-line support with minimum performance degradation or
disruption to network operations
 So you know…
 Blacklist: basic access control mechanism that allows through
all elements (email addresses, users, passwords, URLs, IP
addresses, domain names, file hashes, etc.), except those
explicitly mentioned. Items on list are denied access
 Opposite is a whitelist, which means only items on the list are
let through whatever gate is being used. A graylist contains
items that are temporarily blocked (or temporarily allowed)
until an additional step is performed
 Blacklists can be applied at various points in a security
architecture, such as a host network, a web proxy, DNS
servers, an Email server, a computing firewall, directory servers
or application authentication gateways
 So you know…
 The type of element blocked is influenced by the access control
location
 DNS servers may be well-suited to block domain names, for
example, but not URLs. A firewall is well-suited for blocking IP
addresses, but less so for blocking malicious files or passwords
 Example uses include a company that might prevent a list of
software from running on its network, a school that might
prevent a list of web sites from being accesses on its
computers, or a business that wants to ensure their computer
users are not choosing easily-guessed, poor passwords
 What’s ICMP?
 Internet Control Message Protocol – a Transport Layer
control protocol
 ICMP messages are sent in several situations: for
example, when a datagram cannot reach its destination,
when the gateway does not have the buffering capacity
to forward a datagram, and when the gateway can
direct the host to send traffic on a shorter route
 Not designed to be absolutely reliable; purpose is to
provide feedback about problems in the communication
environment, not to make IP reliable
 There are still no guarantees that a datagram will be
delivered or a control message will be returned
 What’s ICMP?
 Some datagrams may still be undelivered without any
report of their loss, so the higher level protocols that use
IP must implement their own reliability procedures if
reliable communication is required
 ICMP messages typically report errors in the processing
of datagrams. To avoid the infinite regress of messages
about messages etc., no ICMP messages are sent about
ICMP messages themselves
 IP implementations are required to support this protocol
 ICMP is considered an integral part of IP, although it is
architecturally layered upon IP
 ICMP provides error reporting, flow control and first-hop
gateway redirection
 Other Firewall Services
 Firewalls may also perform other services:
 NAT / PAT (Network/Port Address Translation)

 Caching (see next slide)

 Web access control/site filtering

 VPN services (VPN tunnel termination)

 What’s a VPN tunnel?

 The set of information that allows two entities (networks,

PCs, routers, firewalls, gateways) to "trust each other" and
communicate securely as they pass information over the
Internet
 Other Firewall Services - Caching
 Caching refers to the strategy of keeping a copy of a
page or image you have already seen
 Web browsers typically cache files that they display for
you, and simply ask the server if the page has actually
changed rather than always downloading the entire
thing
 This speeds up your next visit to the page
 Since caching everything forever would take up too
much space, web browsers typically delete the least
recently used file in the cache when a certain total cache
size is reached
 Other Firewall Services - Caching
 Caching also occurs in other places. You may be using a
proxy server, in which case the proxy server is probably
caching pages on behalf of you and other users to save
trips to the real Internet
 Users typically become aware of caching when things
don't work as expected. For instance, you might make a
change to your own web page, open up your web page in
your web browser, and not see the change until you click
the "reload" button, telling your browser to discard the
cached copy of that page
 Other Firewall Services - Caching
 Some things (credit card transactions) should not be cached
 Fortunately, the HTTP protocol that web browsers and
servers use to communicate includes ways for the web server
to specify how long a page may be safely cached, if at all
 Sometimes browsers don’t perfectly obey such directives. The
problem is made worse by the tendency of websites built in
PHP, ASP or other dynamic web programming languages to
tell the web browser not to cache anything This problem is
not inherent to those languages, but it is a common result of
poorly-thought-out site design
 Caching can potentially be a privacy issue for those who
share their computers; cached copies of pages on your hard
drive can reveal information about your browsing habits
 Firewall Setup
 Philosophy for Firewall setup - either:
 Block all that is not explicitly authorized
 Authorize all that is not specifically blocked
 Note: These can be used together on same
firewall. Example: For a firewall between an
organization and the Internet you may:
 Block all inbound traffic except specifically
authorized application traffic for publicly
accessible services
 Allow all outbound traffic except traffic that is
specifically blocked based on known
virus/worm/DOS patterns or other corporate
security policies
 Some Types of Firewalls
 Packet Filter
 Stateful packet filter
 Circuit Proxy
 Application Proxy
 Packet Filtering Firewalls
 Control the forwarding or dropping of the
data based on the IP header information
 Each packet is analyzed independently of all
other packets – no track of the connection or
session state is kept
 Packet Filtering Firewalls

 The information and fields that may be taken

into consideration are:
 IP destination address
 IP source address
 Protocol type/number (ie: TCP, UDP, ICMP, …
etc...)
 Source protocol port number (TCP/80, UDP/53, …
etc…)
 Destination protocol port number (TCP/80,
UDP/53, …etc…)
 Flags (SYN, ACK, FIN, ..etc..)
 Packet Filtering Pros/Cons
 Advantages
 High performance
 Application independent
 Filters out many threats (SMURF, IP source
route, some spoofing)
 Can be implemented at “no cost” on existing
routers using Access Control Lists (ACL) –
Note: You need to be careful here: this can
very negatively impact routing performance
on certain routers. This is specially true for
core routers (Usually NEVER enable ACL on
core routers)
 Packet Filtering Pros/Cons
 Disadvantages
 Only uses TCP/UDP/IP Header information
 How do you handle incoming or return traffic
that uses a random/high port to communicate?
 Can dramatically lower performance of certain
routers if implemented on them
 Stateful Packet Filtering
 Stateful inspection, aka dynamic packet filtering, is a
firewall technology that monitors the state of active
connections and uses this information to determine
which network packets to allow through the firewall
 Stateful inspection has largely replaced an older
technology, static packet filtering, where only the
headers of packets are checked, which means that
an attacker can sometimes get information through
the firewall simply by indicating "reply" in the header
 Stateful inspection analyzes packets down to the
application layer
 Stateful Packet Filtering
 By recording session information such as IP
addresses and port numbers, a dynamic packet filter
can implement much tighter security posture than
static packet filter can
 Stateful inspection monitors communications packets
over a period of time and examines both incoming
and outgoing packets
 Outgoing packets that request specific types of
incoming packets are tracked and only the incoming
packets that constitute a proper response are
allowed through the firewall
 Stateful Packet Filtering
 In a firewall that uses stateful inspection, the
network administrator can set the parameters to
meet specific needs
 In a typical network, ports are closed unless an
incoming packet requests connection to a specific
port and then only that port is opened
 This practice prevents port scanning, a well-known
hacking technique
 Port Scan Attacks
 Port scan attacks are one of the most popular
reconnaissance techniques hackers use to discover
services they can break into
 All machines connected to a network run many services
that use TCP or UDP ports and there are more than 6000
defined ports available
 Normally port scan does not make direct damage just by
port scanning
 Potentially, a port scan helps the attacker find which
ports are available to launch various attacks
 Port Scan Attacks
 Essentially, a port scan consists of sending a message to
each port, one at a time
 The kind of response received indicates whether the port is
used and can therefore be probed further for weakness
 Port scanning usually happens for TCP ports, which are
connection-oriented and therefore give good feedback to the
attacker
 The main port scan attacks are listed as follows:

Stealth scan
SOCKS port
Bounce Scans
UDP
 Port Scan Attacks
 Stealth scan : a kind of scan designed to go undetected by
auditing tools. Scanning very slowly becomes a stealth technique.
Other techniques such FIN scanning and SYN scanning can be
used as well

SOCKS port probe : SOCKS is a system that allows multiple

machines to share a common Internet connection. The reason
that attackers scan for this is because a large percentage of users
misconfigure SOCKS which permits arbitrary the sources and
destinations. It may allow a attacker access to other Internet
machines through your system to hide his/her true location.
 Port Scan Attacks
 Bounce Scans : Attackers scour the Internet looking for
systems they can bounce their attacks through
 FTP bounce scanning takes advantage of a vulnerability of
the FTP protocol itself. Other applications such as EMAIL
server, HTTP Proxy, Finger etc. all have vulnerabilities for
attackers to do bounce scans

UDP Scanning : Scan UDP ports to find the open ports.

This is not often used by attackers since it is easily
blocked
 Port Scanning Tools
 Freeware for port scanning is available for anyone to
use
 Three common tools: SAINT, nmap , and nessus
 Nmap is clearly and primarily a port scanner and it is
a utility for port scanning large networks, although it
works fine for single hosts
 Port Scanning Tools can be used legitimately for
admins and users to learn network vulnerabilities
 Port Scan Attack Mitigation
 Port scan attacks can be effectively reduced (if not
completely resolved) by deploying firewalls at critical
locations of a network to filter un-wanted traffic and
from iffy sources
 Many Port Scan detecting tools and products
available on the market
 For Linux systems, the open source program Port
Scan Attack Detector (PSAD) is available for free
 Stateful Packet Filtering
 Performs all the functions of a regular packet filtering
firewall but also keeps track of the state of the connection
and past packets in the communication
 The firewall will attempt to track all the information in
each communication session at all protocol layers
Examples:
 At layer 4 – If it sees a TCP packet from B to A that has a SYN-
ACK flag, it will verify that it has seen a corresponding SYN packet
from A to B before
 At Layer 7 – For SMTP, if it sees a “MAIL FROM” message from A
to B, then it will verify that there has been a proper TCP
connection established before and that a “HELO” command was
sent and a “2xx” response received from B to A
 In other words, the stateful packet filter will keep track of
all conversations and insure that all packets transiting
comply with proper protocol rules and operation
 Stateful Packet Filtering

 Advantages
 Scalable and transparent
 High performance
 Can handle “pesky” applications that jump
ports in the process – Example: FTP in
passive mode – H.323 – These are very
hard to manage by regular packet filtering
 Stateful Packet Filtering

 Disadvantages
 Requires more firewall CPU time for
analysis
 Weak for “stateless” protocols
 Harder to handle UDP return traffic
 May not look at certain application layer
data as a true proxy would
 Application and Circuit
Proxy
 A proxy firewall acts as an intermediate
communication point between 2 parties:
 Each party “thinks” they are directly
communicating to the other
 Actually each communicates to the Proxy Firewall
 A – Proxy – B: A communicates to the proxy, the
proxy then “acts” as A when communicating to B
and vice-versa
 Proxy firewalls act either at layer 3-4 (circuit
proxy) or layer 7 (application proxy). Most
often they act at layer 7
 Application and Circuit
Proxy
 Advantages
 Better security as it fully examines all data in the
packet up to layer 7
 Can perform other functions such as Email virus
scanning
 Disadvantages
 Lower performance
 Limited to protocols that are supported by firewall
 Poor scalability under heavy traffic
 May break custom applications
 May not support standard applications on non-
standard ports
Other Services Sometimes Performed by Firewalls

 Network Address Translation

 Intrusion Detection/Prevention
 Denial-of-Service (DOS) Inspection
 Authentication
 Virtual Private Network Termination
 Traffic Logging
 URL and/or Content Filtering
 Virus Scanning
 Firewall Limitations
 Firewalls have limitations. It is VERY important to
understand them:
 They do not protect against viruses, worms, or trojans (except
in Application-level firewalls and new IDS/firewall hybrids)
 Can’t protect traffic that is not sent through them:
 Dial-up attacks; modems
 Social engineering
 Rerouting due to incompatibility with legacy system
 Back doors
 Can’t protect from bad code in authorized traffic
 Cannot protect from some types of packet spoofing
 Malicious insiders
 Connections that circumvent it
 Completely new threats
 Administrator that does not correctly set it up
 Firewall Limitations
 Firewalls are a good first step in protecting your organization
from hackers. But they do have their limitations. The top 10
firewall limitations include:
 Viruses – not all firewalls offer full protection against computer
viruses because there are so many ways to encode files and
transfer them over the Internet
 Attacks – Firewalls can’t protect against attacks that don’t go
through the firewall. For example, your firewall may restrict
access from the Internet, but may not protect your equipment
from dial-in access to your computer systems
 Architecture – Consistent overall organization security
architecture: Firewalls reflect the overall level of security in the
network. An architecture that depends upon one method of
security or one security mechanism has a single point of failure.
A failure in its entirety, or through a software application bug,
may open the company to intruders
 Firewall Limitations
 Configuration – A firewall can’t tell you if it’s been
incorrectly configured. Trained professionals have the
talent and experience to properly configure firewalls
 Monitoring – Some firewalls can notify you if a perceived
threat occurs. However, they can’t notify you if somebody
has hacked into your network. Many organizations find
they need additional hardware, software, and network
monitoring tools
 Encryption – While firewalls and Virtual Private Networks
(VPNs) are helpful, they don’t encrypt confidential
documents and e-mail messages sent within your
organization or to outside business contacts. Formalized
procedures and tools are needed to provide protection for
your confidential documents and electronic
communications
 Firewall Limitations
 Management – Firewalls stop incoming threats but
organizations still require a formalized management,
destruction, and archival procedure for their electronic
documents. Electronic messages taken out of context can
put an organization in financial or other jeopardy
 Masquerading – Firewalls can’t stop a hacker from
masquerading as an employee. Hackers have a number of
ways to acquire user ids and related passwords
 Policies – Firewalls are not a replacement for a strong
Security Policy and Procedures Manual. An organization’s
security structure is only as strong as its weakest link.
Security professionals have the experience needed to help
protect your reputation
 Firewall Rules Template
 Typical Fields in Firewall Rules are:
 Rule #
 Protocol (IP, UDP, TCP, GRE, or protocol number)
 A/R (Accept/Reject)
 Source IP (Start)
 Source IP End or Source Wildcard
 Src Port (or protocol number)
 Destination IP (start)
 Destination IP (End) or Wildcard
 Dest Port
 Flag
 Comments
 The rule must then be applied to a firewall interface and
to an interface traffic direction, either inbound or
outbound
 Understanding Firewall Rules
 You create firewall rules to allow a computer to
send traffic to, or receive traffic from, programs,
system services, computers, or users
 Firewall rules can be created to take one of three
actions for all connections that match the rule's
criteria:
 Allow the connection
 Allow a connection only if it is secured through the
use of Internet Protocol security (IPsec)
 Block the connection
 Understanding Firewall Rules
 Rules can be created for either inbound traffic or
outbound traffic
 The rule can be configured to specify the computers or
users, program, service, or port and protocol
 You can specify which type of network adapter the rule
will be applied to: local area network (LAN), wireless,
remote access, such as a virtual private network (VPN)
connection, or all types
 You can also configure the rule to be applied when any
profile is being used or only when a specified profile is
being used
 As your IT environment changes, you might have to
change, create, disable, or delete rules
 Firewall Rule Priority
 Because you can make firewall rules that have apparent
conflicts, it’s important to understand the order in which
the rules are processed

 First - Authenticated bypass: These are rules in

which the Override block rules option is selected
 These rules allow matching network traffic that would
otherwise be blocked
 The network traffic must be authenticated by using a
separate connection security rule
 You can use these rules to permit access to the computer
to authorized network administrators and authorized
network troubleshooting devices
 Firewall Rule Priority
 Second - Block connection: These rules block
all matching inbound network traffic

 Third - Allow connection: These rules allow

matching inbound network traffic
 Because the default behavior is to block
unsolicited inbound network traffic, you must
create an allow rule to support any network
program or service that must be able to accept
inbound connections
 Firewall Rule Priority
 Default profile behavior: The default behavior
is to block unsolicited inbound network traffic,
but to allow all outbound network traffic
 You can change the default behavior on the
Domain Profile, Private Profile, and Public
Profile tabs of the Windows Firewall with the
Advanced Security Properties dialog box
 Understanding Firewall Rules
 As soon as a network packet matches a rule, that
rule is applied, and processing stops
 For example, an arriving network packet is first
compared to the authenticated bypass rules
 If it matches one, that rule is applied and
processing stops
 The packet is not compared to the block, allow,
or default profile rules
 If the packet does not match an authenticated
bypass rule, then it is compared to the block
rules. If it matches one, the packet is blocked,
and processing stops, and so on
 Understanding Firewall Rules
 Inbound rules explicitly allow, or explicitly block,
inbound network traffic that matches criteria in the rule
 For example, you can configure a rule to explicitly allow
traffic secured by IPsec for Remote Desktop through the
firewall, but block the same traffic if it is not secured by
IPsec
 When Windows (for example) is first installed, all
unsolicited inbound traffic is blocked
 To allow a certain type of unsolicited inbound traffic, you
must create an inbound rule that describes that traffic
 For example, if you want to run a Web server, then you
must create a rule that allows unsolicited inbound
network traffic on TCP port 80
 You can also configure the default action that Windows
Firewall with Advanced Security takes, whether
connections are allowed or blocked, when no inbound
rule applies
 Understanding Firewall Rules
 Outbound rules explicitly allow, or explicitly block,
outbound network traffic originating from the computer
that matches criteria in the rule
 For example, you can configure a rule to explicitly block
outbound traffic to a computer (by IP address) through
the firewall, but allow the same traffic for other
computers
 Because outbound traffic is allowed by default, you
typically use outbound rules to block network traffic that
you do not want
 You can also configure the default action that Windows
Firewall with Advanced Security takes, whether outbound
connections are allowed or blocked, when no outbound
rule applies
 DMZ
 Main firewall (#2) is Tri-homed – connects three
subnets
 Screening router (60.47.1.1)
 Internal network (172.18.9.x) connects to hosts and
router
 DMZ
 Public webserver and other public servers reside
 Main firewall ensures that all incoming connections to public
servers go only to DMZ,
 And no incoming connection goes directly to the internal
network hosts
 Connections between DMZ and internal computers are strictly
limited
 IDS Outline
 Prelude to a hack
 Intrusion Detection System
 Prelude to a Hack: Footprinting
 The fine art of systematically gathering
target information that will allow an
attacker to create a complete profile of
an organization’s security posture
 Footprinting Steps
Step1: Determine scope of activities
Step2: Network enumeration
Step3: DNS interrogation
Step4: Network reconnaissance
 Prelude to a Hack: Scanning

 The use of variety of tools and

techniques to determine what systems
are active and reachable from the
Internet
 Scanning
 Ping Sweeps
 Host Scans
 Port Scans
 OS Detection
 Ping Sweeps
 ICMP Sweep Tools
 Fping, Pinger, Ping Sweep, WS_Ping, NetScan Tools,
icmpenum
 TCP Sweep Tools
 Nmap, hping
 Remember, Ping is a program that sends a series of
packets over a network or the Internet to a specific
computer in order to generate a response from that
computer. The other computer responds with an
acknowledgment that it received the packets. Ping
was created to verify whether a specific computer
on a network or the Internet exists and is connected
 Ping Sweeps
 Ping Sweep enables you to scan a range of IP addresses
to identify which IP addresses are in use and which ones
are currently free
 You can easily adjust the delay between pings, as well
as the TTL (Time to Live).
 Ping Sweep can also look up the DNS name for each IP
address using your configured DNS and WINS servers
 Additionally, Ping Sweep performs a fast ICMP sweep of
your IP address range and presents the results in an
easy-to-use worksheet
 Port Scans
 Identify both the TCP/UDP services running
 Identify the type of OS
 Identify specific application or version of a
particular service

Port Scan Types

 TCP connect scan  TCP ACK scan
 TCP SYN scan  TCP Windows scan
 TCP FIN scan  TCP RPC scan
 TCP Null scan  UDP scan
 TCP Xmas Tree scan
 NMAP Port Scanning and OS Fingerprinting

open
ports

OS fingerprinting
 Prelude to a Hack: Enumeration
 A process of extracting valid account or
exported resource names from systems using
active connections and directed queries
 OS specific techniques
 Types of information enumerated
 Network resources and shares
 Users and groups
 Applications and banners
 Defense:
Intrusion Detection System
1.
4. Alarm Intrusion
Suspicious
Detection
Packet
System (IDS)
Network
2. Suspicious
Administrator Internet
Packet Passed
Attacker

3. Log
Suspicious
Hardened
Packet
Server
Log File Corporate Network
 What is an IDS?
 Device/software that monitors traffic
and/or host activity looking for the
following:
 Malicious traffic
 Unusual traffic
 Activity on host systems that is outside of
known patterns
 Then logs and reports activity in form
of alarms
 Evolution of the IDS

 Computers can generate lots of log/audit data

 System admin began to write tools to
automate the process of logging/analysis
 These tools evolved and were modified to
focus on security-related issues in the late
1980s
 Evolution of the IDS
 Network security monitor was developed at
UC Davis
 This was an early IDS-like tool to analyze
actual traffic vice log entries
 Essentially a packet sniffer feeding data into
analysis engine
 Types of IDS

 Host-based
 Network-based
 Signature-based
 Anomaly-based
 Host-based IDS
 Characteristics
 Runs on single host

 Can analyze network packets, integrity of files, etc.

 Advantages
 Easy to deploy and manage

 Not source intensive

 Disadvantage
 Not scalable

 Low security – host may be compromised

 Deployment
 Single mission-critical machine

 Desktop machine
 Network-based IDS
 Characteristics
 Network monitor – passive capture traffic and inspect it

 Can also function in a client-server model

 Advantages
 Once positioned properly, can test effectiveness of

Router/Firewall
 Can monitor multiple machines

 Disadvantage
 Resource intensive – storage, processing power, etc

 Single-point failure

 Deployment
 Data center

 Inside/outside protected network

 Signature-based IDS

 Characteristics
 Uses known pattern matching to signify attack

 Can identify intrusions from packet header/data

 May use Boolean op in rules: (“this str” AND “that num”)

 Advantages
 Widely available; fast; easy to implement and update

 Disadvantage
 Simple – cannot detect attack without fixed signature

 Need updated very often – for new attack and its variant

 Deployment
 Can be host-based or network-based

 Nearly everywhere
 Anomaly-based IDS
 Characteristics
 Uses statistical variance or AI engine to evaluate traffic, normal

usage behaviors
 Does not use signature, must be “trained”

 Advantages
 Can detect attempts to exploit new and undiscovered

vulnerabilities
 Can recognize unusual traffic based on payload, src addr, time,

etc
 Disadvantage
 Slower and more resource intensive

 Much complicated, difficult to configure

 Higher percentage of false alarms

 Deployment
 Currently fewer deployment – considered immature
 Deploying IDS

Step1: Identify what needs IDS protection

Step2: Determine type(s) needed
Step3: Harden host system
Step4: Keep updated (e.g. anti-virus update)
Step5: Deploy IDS
Step6: Configuration and management
 Deploying IDS

Step1: Identify what needs IDS protection

Step2: Determine type(s) needed
Step3: Harden host system
Step4: Keep updated (e.g. anti-virus update)
Step5: Deploy IDS
Step6: Configuration and management