Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g
N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g
Security Lab Firewalls
What is a Firewall Commonly describes systems or devices that are placed between a trusted and an untrusted network. Network firewall solutions offer user and application policy enforcement that supplies protection for different types of security threats. These solutions often provide logging capabilities that enable the security administrators to identify, investigate, validate, and mitigate such threats.
Network Firewalls Network-based firewalls provide key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.
Typical Firewall Function Simple packet-filtering techniques Image Application proxies Image Network Address Translation Image Stateful inspection firewalls Virtual Personal Networks(VPN)
Next-generation context-aware firewalls NGFWs goes beyond the standard functions The goal of next generation firewalls is to include more layers of the OSI model to improve filtering of network traffic dependent on the packet contents. They expected go deeper to inspect the payload of packets and match signatures for harmful activities such as known vulnerabilities, exploit attacks, viruses and malware
NGFW features Signature based IPS engine Application awareness, full stack visibility and granular control Capability to incorporate information from outside the firewall, e.g., authentication-based policy, blacklists, white lists, etc. Upgrade path to include future information feeds and security threats SSL decryption to enable identifying undesirable encrypted applications
Types of Firewall Software base Pfsense, Netfilter/iptables, Vyatta, Untangle Gateway and Microsoft Forefront Threat Management Gateway Hardware/appliances Check Point VPN-1, Watchguard, FortiGate, Palo Alto Networks, CISCO ASA, Juniper SSG
Network Threats Unauthorized Network traffic and access control Denial of services attacks Virus and malware outbreak Botnet and distributed denial of services Malware encrypted network traffic Phishing Sites and attacks Spam and infected email Data protections
Packet Filters and Proxy & ALG Two types of policies: Packet Filter Examines the IP header of each packet, and operates at the network and transport protocol packet layers. Proxy & ALG (Application Layer Gateway) Proxy Examines the IP header and the content of a packet at the application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content. ALG Completes the same functions as a proxy, but also provides transparent connection management. Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.
Packet Filtering Policies or Rules Includes packet filter policy templates for many specific types of traffic that use various ports and protocols. Select the policy template to see details about the port and protocol it applies to. You can also create custom policy templates. To create a packet filter policy, select the template and click Add. In the policy, specify the source, destination, and any other policy properties.
Disabling Outgoing policy The Outgoing policy allows outgoing TCP and UDP connections on all ports. If you want to allow users on your trusted and optional networks to browse the web, but do not want to allow other TCP/UDP traffic, you can: Add policies for: HTTP on TCP port 80 HTTPS on TCP port 443 DNS on TCP port 53 and UDP port 53 Disable the Outgoing policy If you disable the Outgoing policy, the firewall denies outbound TCP and UDP traffic on all ports unless you add another policy to allow it.
Intrusion Detection and Prevention Vulnerability found and exposed Hacker builds attack that uses vulnerability Attack launched Vendor builds patch Vendor distributes patch IT admin queues patch update based on severity IT admin installs patch Proactively blocks many threats Firewallbased IPS supplies zero-day protection Attack signature developed and distributed Ongoing protection at higher performance
Default Packet Handling Spoofing attacks Port and address space probes Flood attacks Denial of service Options for logging and automatic blocking
Control Incoming Connections Use the DNS-Incoming action as a template You own the server You decide who gets to connect to the server DNS Proxy DNS server Your network
Use DNS-Outgoing Use DNS-Outgoing proxy action to block DNS requests for services, such as queries for: POP3 servers Advertising networks IM applications P2P applications 18
Signature Base Services Gateway AntiVirus, APT Blocker, Data Loss Prevention, Intrusion Prevention Application Control
Set Up Gateway AntiVirus 1. Firebox downloads the initial signature file 2. Firebox gets new signatures and updates at a regular interval 3. Gateway AV strips viruses and allows valid email or web pages to load Gateway AntiVirus database updates Your Network WatchGuard
APT Blocker What is an APT (Advanced Persistent Threat)? APTs leverage the latest targeted malware techniques and zero-day exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network. Designed to gain access to networks and access confidential data over extended periods of time. APTs are highly sophisticated and often target specific high-profile institutions such as government or financial-sector companies APT use has now expanded to target smaller networks and lower profile organizations. Traditional signature-based scan techniques do not provide adequate protection against APTs.
What is Data Loss Prevention Data Loss Prevention (DLP) is a signature-based security service that can help you control the loss of confidential data from your network. DLP uses content control rules to identify sensitive data, such as: Bank routing numbers Credit card numbers Confidential document markers National identity numbers Driver s license numbers Medical records Postal addresses and telephone numbers Email addresses DLP scans outbound traffic over proxied SMTP, FTP, HTTP, and HTTPS connections.
Know your network and users
2015-11-03 13:46:23 Deny 197.237.140.161 190.213.227.137 14836/udp 27332 14836 0-External Firebox Denied 131 111 (Unhandled External Packet-00)