Secure Digital Life #65
Recorded on May 22, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to firstname.lastname@example.org.
What is a firewall anyway?
So, firewalls are really just gatekeepers that we can put at the border of a network but they have a lot of different flavors.
Packet Filtering -- This is a type of firewall where we write rules that are pretty or pretty complex. (L3 firewall)
Example of a firewall acl access-list 100 permit tcp any host 10.1.1.80 eq 80
So this type of rule relies on basically some different types of information.
Protocols -- ICMP is a protocol for pings and tracerts tcp includes a lot of common network daemons like httpd or ssh. udp is a common protocol for dns and dhcp.
Ports -- Every daemon has a "designated" listening port like httpd being on port 80 or SSH being on port 22. We can evaluate which ports but may have to do some testing with wireshark to see what is really going on.
IP -- so the ips can be "any" or a host or some range. All sorts of tricks can be done here. This basically allows us to control source and destination.
So, on a PF firewall, we can control source and destination, protocols, and ports fairly easily.
Stateful firewalls are a second type of tool. These firewalls go beyond L3 and reach on into the the actual transport layer. This means that each packet can be evaluated to determine if it is part of a session or not. So, we someone connects (via the l3 information in the PF firewall portion) we can now monitor to ensure the sessions are not being hijacked etc.
L7 Firewalls -- These are the biggies. These tools can actually deconstruct the frame into the data and evaluate many things including signature analysis, IDS/IPS, and other types of threat analysis. They can include all sorts of elaborate controls.
As you might guess, when you start unwrapping each piece of mail and examining it, it takes a lot of horsepower to equal a L3.
Analogy. If you take cart full of snail mail, Each envelope is examined to see if it has a valid address and a valid return address. Is it in the write packaging, and such. That is a L3 firewall. If we validated the source and destination that is the L4 firewall. Now, open the envelope, read the letter and determine if it is appropriate, is actually from who it says it is from, etc. and that is the L7 firewall model.
Another type is called a WAF. Web application firewall. WAFs usually have controls for both signature analysis which is a kind of IDS/IPS approach to looking for threats that are streaming in, particulaly in web applications but can also be used as a proxy server for web sites. WAF is used only on http and https type traffic being managed by some sort of web app. These are used a lot for commercial inbound traffic and were originally looking for XSS and SQL Injections but can support massive signature databases. They are definitely L7 type firewalls and are often dedicated appliances.
Another common use of WAF is in the PCI DSS controls world. If you don't know PCI DSS is the (Payment Card Industry Data Security Standard) regulation of credit card swipes. WAF can be used by business to prevent interception or attacks on CC database servers which are being used to process payments.
These can also be linked into OWASP (Open Web Application Security Project) vulnerability lists to look for common vulnerabilities.
Lastly, Proxy Servers (like Dan's Guardioan). These are another type of "firewall" which can be used to examine traffic but typically they are more specialized than the pure WAF type or L7 firewalls. They typically look only at the headers which contain destinations and filter traffic based on a blacklist or whitelist approach. They may well include signatures to identify sites or can just be keyword based.