sbe webinar series - 2018 broadcast infrastructure ...webinar # 2 – “understanding the...
TRANSCRIPT
![Page 1: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/1.jpg)
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity - Part 2
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Educational Broadcast Services – KAMU FM-TV
![Page 2: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/2.jpg)
Broadcast Infrastructure Cybersecurity Advertised Presentation Scope
2
Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process.
Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers.
![Page 3: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/3.jpg)
Broadcast Infrastructure Cybersecurity
3
Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control List (ACL) Firewall Implementation & Ruleset Configuration Takeaway Points & Reference Resources Questions & Discussion
![Page 4: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/4.jpg)
Takeaway Points – Part 1 • Recognize & Accept The “Security Lifecycle” • Have a Security Policy • Utilize “Defense in Depth” Strategy • Understand Security Threat Landscape • Begin With Network Design - Segment Your Network
– Security – Performance Enhancement
• Implement a Structured Plan – Begin with Physical Security – Implement Switch Port Security – Implement Packet Filtering – Implement Encrypted Access – Implement Trust (authentication)
• Implement Ethernet Port Security • Disable Any “Unused” Ports • Enable “Truck/Tagged” Ports w/Caution • Do Not Use VLAN 1 • Monitor Your Network – Know What is Normal!
4
Future Webinars Will Continue to Build This List
![Page 5: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/5.jpg)
Ethernet Switch Functions
• Learn MAC Addresses – Build “Table”
• Filter / Forward Ethernet Frames
• Flood Ethernet Frames
– Broadcast Frame
– MAC Not in CAM Table)
• Establish VLAN(s)
• Provide Loop Avoidance - Redundancy (STP)
• Provide Port Security Features
• Provide Multicast Support (IGMP Snooping)
Basic
Switch
Functions
5
Managed
Switch
Functions
![Page 6: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/6.jpg)
Layer 2 - Switch Port Security • Port Security Options:
– Permit Specific MAC Address / Port
– Limit # MAC Address / Port
– “Sticky” MAC Learning Configuration
• Port Security Violations: – Discard Frame
– Shutdown Port
– Notification
6
Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks
![Page 7: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/7.jpg)
Layer 2 – Data-Link Layer Access • Implement Ethernet Switch Port Security
• Disable Unused Ports
• Config “Trunk / Tagged” Ports With Caution
7
Disable Any
Unused
“Access”
Or
“Untagged”
Ports
Configure
“Trunk”
Or
“Tagged”
Ports
Only
When
Required
Enable Switch Port Security:
Specific MAC address
Limit number of MAC addresses / port
Specify “shutdown” violation response
VLAN
100
VLAN
200 VLAN
300
Segment Network Traffic
![Page 8: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/8.jpg)
Layer 2 Hardening
• Disable Telnet – Use SSH
• Set SNMP Secrets
• Minimize Spanned VLAN(s)
• Set STP Root Designation
• Enable Spoofing Features
• Disable Unused Ports
• Do Not Use VLAN1
• Disable CDP (Cisco)
• Enable Port Security
• Use Authentication (802.1x)
8
![Page 9: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/9.jpg)
Cybersecurity Attack Model
9
Network Probing&
Reconnaissance
Delivery&
Attack
Installation& Exploitation
Compromise&
Expansion
Passive & Active Approaches Find Target(s)
Harvest Information
![Page 10: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/10.jpg)
Structured Implementation Plan
10
Layer 1 – Physical Access
Layer 2 – Ethernet Switch Security
Layer 3 – Packet Filtering
Layer 4 and above – Encryption & Authentication
![Page 11: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/11.jpg)
L3 and Above Network Security Tools • Firewall
– Used to Create a “Trusted” Network Segment by Filtering Network Packets • Permit • Deny
– Types of Firewalls: • Stateless Packet Filtering – Single Packet Inspection Based
• Stateful Packet Filtering – Flow or Conversation Inspection Based
• Proxy – Intermediary Host or Software Ap
– Access Control Mechanism • Detection Tools
– Intrusion Detection Systems (IDS) • Signature Based • Anomaly Based
– False + / False - – Intrusion Prevention Systems (IPS)
• Combine Firewall & IDS Functions
11
Proxy
External Network
External Network
![Page 12: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/12.jpg)
The Firewall
Broadcast Infrastructure Cybersecurity
![Page 13: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/13.jpg)
What is a Firewall?
13
Device (hardware or software) That Controls Which IP Packets Enter or Exit a Network (Permit or Deny)
Why Use? ● First level of defense ● Protection for hosts lacking security ● Protection for a group of hosts
![Page 14: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/14.jpg)
Generations of Firewall Technology • Generation 1:
– Packet Filtering (static inspection)
• Generation 2: – Circuit Level Gateway (NAT)
• Generation 3: – Packet Filtering (stateful inspection - dynamic)
• Generation 4: – Application Level Gateway (Proxy)
• Generation 5 and beyond: – Application Level - Kernal Proxy
14
![Page 15: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/15.jpg)
Firewall Types
• Packet Filtering (stateless)
• Packet Filtering (stateful inspection)
• Application Gateway (proxy)
• Circuit Gateway (NAT)
• Next-Gen Firewall
15
Hides Internal Host IP Address
Traditional Stateless / Stateful Firewall + Application Deep Packet Inspection (DPI) + Intrusion Prevention System (IPS)
![Page 16: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/16.jpg)
A “State” • A dynamic rule created by the firewall based upon a host-host source
destination address-port combination
16
Send HostReceive Host
I Want to Connect. My
Sequence Number is 100
SEQ = 100
CONTROL = SYN
I Received Your
Sequence 100! My
Sequence Number is 1 &
Ready for 101
SEQ = 1
ACK=100
CONTROL = SYN, ACK
I Received Your
Sequence 1 & Ready for
Sequence 2
SEQ = 101
ACK=2
CONTROL = ACK
165.95.240.130:32985 ---> 74.125.21.147:443 74.125.21.147:443 ---> 165.95.240.130:32985
![Page 17: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/17.jpg)
Firewall Software & Appliances
• Software Based: – IP Tables (linux)
– PFSense
– ZoneAlarm (Win)
• Appliance Based: – Cisco PIX
– Cisco ASA
– Checkpoint FireWall -1
– Barracuda Firewall
17
![Page 18: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/18.jpg)
The IPv4 Packet Header • Protocol – Indicates upper layer protocol (TCP, UDP, ICMP as examples)
• Source Address – Address of “sending” Host
• Destination Address – Address of “receiving” Host
18
Version
(4)
Header
(4)
Precedence / Type
(8)
Length
(16)
Identification
(16)
Flag
(3)
Offset
(13)
Time to Live
(8)
Protocol
(8)
Header Checksum
(16)
Source IP Address
(32)
Options & Padding
(0 or 32)
Destination IP Address
(32)
Packet Payload
(Transport Layer Data)
4 bytes
32 bits
20
Bytes
![Page 19: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/19.jpg)
The Access Control List (ACL)
Broadcast Infrastructure Cybersecurity
![Page 20: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/20.jpg)
Packet Filtering Border Router
20
ExternalNetwork(Internet)
InternalNetwork
(Private)
Security Perimeter
Border Router w/Packet Filtering (ACL)
Boundary Creating “Trust” Zone
Trusted Un-Trusted
![Page 21: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/21.jpg)
The Access Control List “ACL”
• Statements That Permit or Deny Layer 3 Network Traffic
• The “ACL” is a Predefined “Rule” Script
• Packet (layer 3 PDU) Filtering Accomplished: – By A Layer 3 Router
– Inspect Incoming & Outgoing Packets Against Rule
– Determine if Packet Is to Be Forwarded or Dropped
• The Layer 3 Router with ACL’s Implemented – Becomes a Basic Firewall (Generation 1)
• Why Use an ACL? – Provide Security by Denying Specific Packets – Destination Host (s)
– Provide Security by Denying Specific Packets – Source Host(s)
– Provide Security by Denying Specific Packets – Protocol(s)
– Minimize Specific Packets to Increase Performance
– Classify Packets for Quality-of-Service (QoS) Applications
21
![Page 22: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/22.jpg)
Access Control List “More Details”
• Provides “Basic” Network Access Security Buffer - Packet Filter Based • Filter IP Network Packets:
– Forwarded @ Egress Interface – Blocked @ Ingress Interface
• Standard Access List – Layer 3 Header Info – Can Only Permit or Deny The Source Host IP Address – Placed Closest to Destination Host
• Extended Access List – Layer 3 & 4 Header Info – Can Permit or Deny Based Upon:
• Source IP Address • Destination IP Address • TCP Port # • UDP Port # • TCP/IP Protocol
– Placed Closest to Source Network
• ACL Can Be Numbered or Named – Standard: 1 – 99 or 1300 - 1999 – Extended: 100 – 199 or 2000 - 2699
22
![Page 23: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/23.jpg)
ACL Guidelines • One (1) ACL / Interface / Protocol / Direction • The ACL is Hierarchal Processed (top down)
– More specific statements first – Less specific statements follow
• The ACL is Created Globally – Applied to Specific Interface • The ACL Filters:
– Packets passing through router – Packets to the router – Packets from the router
• The ACL Has “Implicit Deny All” @ End – ACL must contain at least one “permit” statement
23
Reference: www.routerfreak.com/understanding_access-control-lists-acl/
#access-list 100 permit ip any any
![Page 24: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/24.jpg)
Implementing an Access Control List
24
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Interface
0/0
Interface
0/1
Permit or Deny:
Source IP Address (standard)
Source IP Address (extended)
Destination IP Address
ICMP
TCP/UDP Source Port
TCP/UDP Destination Port
One ACL per:
Interface
Direction
Protocol
Create
Access Control List
Apply
Access Control List
![Page 25: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/25.jpg)
Access Control List (ACL) Syntax
• Standard ACL:
• Extended ACL:
25
access-list access-list-number {permit|deny}match-parameter
Match-parameters: any|host IP|network IP + wilcard
access-list access-list-number {permit|deny}protocol {source
source-wildcard|host} {destination destination-
wildcard|host}
![Page 26: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/26.jpg)
The Access Control List (ACL) “Examples”
Broadcast Infrastructure Cybersecurity
![Page 27: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/27.jpg)
“Wildcard” Mask • Common Use: Routing Protocols & ACL
• Used to Specify a Range of IP Addresses
• IPv4 Wildcard Mask is 32 bits
• Equivalent to Inverted Subnet Mask: “255.255.128.0” Subnet Mask “0.0.127.255” Inverted Mask
• Binary Operators:
– “0” bit Indicates Match
– “1” bit Indicates No-Match
11111111.11111111.10000000.00000000 Subnet Mask 00000000.00000000.01111111.11111111 Wildcard Mask
27
![Page 28: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/28.jpg)
Calculate the Wildcard Mask
• Subnet Mask = 255.255.128.0
• Wildcard Mask = 0.0.127.255
IPv4 Address Space 255.255.255.255 subtract subnet mask 255.255.128.0 Yields Inverted Mask 000.000.127.255
28
![Page 29: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/29.jpg)
ACL Example(s)
• Permit ALL IPv4 Addresses: – #access-list 1 permit 0.0.0.0 255.255.255.255
• Permit All 192.168.1.0 Hosts: – #access-list 1 permit 192.168.1.0 0.0.0.255
• Permit Only IP Address 192.168.1.100 – #access-list 1 permit 192.168.1.100
• Deny Only IP Address 192.168.1.100 – #access-list 1 deny 192.168.1.100
– #access-list 1 permit any any
29
Remember Implicit DENY
Remember to Apply ACL to Interface
![Page 30: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/30.jpg)
“ping” Packet Internet Groper
30
Send Hosts Sends ICMP “echo request”
Destination Host Replies ICMP “echo reply”
Round-Trip Times Returned
Be Aware of Command Line Options
![Page 31: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/31.jpg)
ICMP Messages:
• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol
• Platform Utilized by ping &
traceroute
31
![Page 32: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/32.jpg)
Access Control List (ACL) - Example
32
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1: access list 100 deny icmp any any
access-list 100 permit ip any any
Apply Access List to Interface: interface ethernet1
ip access-group 100 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Block External Users From “Pinging” Inside Network Hosts
![Page 33: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/33.jpg)
Port Numbers RFC 1700
• Applications Are Indexed by a “Port Number”
• Port Numbers Can Be Between 0 – 65,535
– 0 – 1,023 Considered Reserved
– 1,024 – 49,151 Can Be Registered
– 49,152 – 65,535 Considered Dynamic or Private
• 65,535 TCP Ports
• 65,535 UDP Ports
33
Service Name and Transport Protocol Port Number Registry: http://www.iana.org/assignments/port-numbers
![Page 34: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/34.jpg)
Examples:
“Well Known - System Port Numbers”
Port 20 / 21 – FTP “File Transfer Protocol”
Port 23 – TELNET
Port 53 – DNS “Domain Name Service”
Port 80 – HTTP
Port 110 – POP3 “Post Office Protocol”
Port 123 – NTP “Network Time Protocol”
Port 161 – SNMP “Simple Network
Management Protocol” (UDP)
Port 443 - HTTPS
34
![Page 35: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/35.jpg)
A Firewall: • Filter Packets:
– Positive Filtering - Permit – Negative Filtering - Deny
• Filtering Based Upon (L3 header): – Source IP Address (range of addresses) – Destination IP Address (range of addresses) – Source IP Port – Destination IP Port – Protocol
• Can Do More: – Serve as Proxy Server – VPN Implementation (IPsec Encryption) – Network Address Translation (NAT) – Touch Point for Monitoring (logging)
• Firewall Form Factors: – Software Based – Layer 3 Router Based – Dedicated Appliance
35
![Page 36: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/36.jpg)
Firewall Types • Filters What IP Traffic Can Enter or Exit a Network Based
Upon Pre-Defined Rules
• Stateless Packet Filtering – Single Packet Inspection – Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layer 3
• Stateful Packet Filtering – Conversation Inspection – Filters on IP Header info – Layers 3-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
36
![Page 37: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/37.jpg)
Stateless vs Stateful
37
Internet
HTTP Request
HTTP ReplyBlocked X
Internet
HTTP Request
Blocked X
HTTP Reply
Telnet Session
Packet Filtering - “Stateless” Packet Filtering - “Stateful”
Filtering Parameters: IP Source Address
IP Destination Address
Protocol
TCP Traffic
UDP Traffic
Port Number
![Page 38: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/38.jpg)
“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall
Can Detect Packet Anomalies: – IP Packet Header Makeup
– IP Addressing Non-Compliance
– IP Fragmentation Errors
– TCP Flow Sequencing
– UDP Flow Sequencing
– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant
• ICMP Errors
38
![Page 39: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/39.jpg)
Misconceptions With Firewalls
• Prevents ALL Cybersecurity Threats
• Blocks Undesirable Packets
• Permits Authorized Packets
• Should Be Component of Multi-Perimeter Approach (Defense-in-Depth)
• Requires Regular “Housekeeping”
• Install and Forget
39
![Page 40: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/40.jpg)
Firewall Use Caution • False Sense of Security
– Don’t Bother Me - “I Have A Firewall” – I’m Secure!
• Minimize Protection Zone – Tendency is to Maximize Host(s) in Protection Zone
• Formal Policy Required – Create Policy First
– Then Create Rule Syntax
• Performance Impact – Throughput (packets/sec) Impact
– Latency Impact
• Don’t Overlook Egress – Be a Good Network Citizen
40
![Page 41: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/41.jpg)
Firewall Implementation & Ruleset Configuration
Broadcast Infrastructure Cybersecurity
![Page 42: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/42.jpg)
Firewall Placement Network Architecture
42
ExternalNetwork(Internet)
InternalNetwork
(Private)
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
WebServer
“DMZ”
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
WebServer
“DMZ”
ACL(s) Implemented
“3-Legged” Firewall
![Page 43: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/43.jpg)
The Bastion Host • Host Device – Bare Essentials to Support Application
– Minimized Op System
– Minimum Services Enabled/Implemented
• Implemented with a Firewall – Only Application Protocol Permitted
43
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
BastionHost
“DMZ” Dematerialized
Zone
Only Firewall
& Bastion Host Exposed
![Page 44: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/44.jpg)
Proxy Firewall • Hides “Internal” Network Hosts
• External Hosts Only Sees Proxy Address
• Limits Network Access to Application Protocols
• Client – Server Relationship
• Can Be Implemented Within Firewall
• Can Be Implemented Within Server
• Can Filter Content
44
ExternalNetwork(Internet)
InternalNetwork
(Private)
Proxy Server
Firewall
![Page 45: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/45.jpg)
Policy vs Rule
• Policy is Starting Point
• Create Rule Syntax to Implement Policy
45
Security Policy: Accept Incoming http Traffic From Public Internet to Webserver
Firewall Rule: permit tcp any WEB-SERVER1 http
Security Policy: Allow RDP from Network Engineer workstation Webserver
Firewall Rule: permit tcp 128.194.247.54 3389 WEB-SERVER1
![Page 46: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/46.jpg)
Basic Default Firewall Polices:
• Egress: – Source IP Address within Internal Network IP Address Space
– Destination IP Address is NOT within Internal Network IP Address Space
• Ingress: – Source IP Address NOT within Internal Network IP Address Space
– Destination IP Address is within Internal Network IP Address Space
46
![Page 47: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/47.jpg)
IP Tables (linux)
• Creates Host Firewall Rules
• Command Line Based or GUI Based
• Rules Created in a “Chain”:
– Input
– Output
– Forward
• Command Line Syntax: iptables –A chain firewall-rule
47
iptables –A INPUT –I eth0 –p tcp –-dport22 –j accept
Input Rule
Interface Protocol
Port Action
iptables –A INPUT –j DROP
Permits “SSH”
ie port 22
![Page 48: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/48.jpg)
Firewall Ruleset
• Default Ruleset: – Discard
– Forward
• Ruleset Parsed “Top-to-Bottom” – More Specific – Top of List
– Implicit “DENY” – End of List
• Example:
48
![Page 49: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/49.jpg)
Takeaway Points & Reference Resources
Broadcast Infrastructure Cybersecurity
![Page 50: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/50.jpg)
OSI Model & Security Protection Techniques
50
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application Gateway7
Application Gateway5
Application Gateway6
Circuit Gateway
Packet Filtering
MAC Based Security
Physical Device Security
4
1
2
3
![Page 51: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/51.jpg)
Takeaway Points – Part 2 • The firewall is the 1st defense perimeter – but not the only protection
• A firewall is any software or device that filters packets to establish a trust perimeter
• A firewall is a necessary evil – Do NOT install & forget
• Firewall “housekeeping” is essential – Updates & Monitoring
• Do not solely depend upon a single border firewall: – Harden host devices – disable any un-used services
• Develop mindset – deny everything – permit when necessary
• Block ICMP to prevent internal network host exploration
• NAT alone should not be considered an effective firewall
• Don’t over-look egress filtering: – Exiting packet should be within your internal network IP range
51
Future Webinars Will Continue to Build This List
![Page 52: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/52.jpg)
The Challenge
SECURITY USEABILITY
52
![Page 53: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/53.jpg)
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity
53
Webinar # 3 – “Understanding Secured Remote Access” Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Building the Secure Network Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 – “Security Verification Thru Penetration Testing” Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion
![Page 54: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/54.jpg)
My Favorite Reference Texts:
54
![Page 55: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/55.jpg)
55
![Page 56: SBE Webinar Series - 2018 Broadcast Infrastructure ...Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control](https://reader035.vdocuments.site/reader035/viewer/2022071211/6023d25b8d00352d4037a14d/html5/thumbnails/56.jpg)
Thank You for Attending! Wayne M. Pecena Texas A&M University [email protected] [email protected] 979.845.5662
56
Questions & Discussion
Secretary, Board of Directors Executive Committee Member Chair, Education Committee