🛡️

Understanding Firewalls and Intrusion Prevention

Nov 13, 2024

View transcript

Network-based Firewalls and Intrusion Prevention Systems

Overview of Network-based Firewalls

  • Definition: A network-based firewall is an appliance that sits in line in your network, making decisions about whether traffic should be allowed or disallowed.
  • Types of Analysis:
    • Traditional firewalls: Decisions based on port numbers.
    • Next Generation Firewalls (NGFW): Decisions based on the application itself.

Capabilities of Firewalls

  • Security Device: Allows or disallows traffic based on set rules.
  • Additional Services:
    • VPN Endpoints: Serve as VPN concentrators for point-to-point connections or remote access VPNs.
    • Routing: Can act as routers or Layer 3 devices, performing network address translation, dynamic routing, etc.

Next Generation Firewalls (NGFW)

  • Functionality:
    • Analyzes traffic to recognize applications in use.
    • Makes decisions about traffic based on application identification.
  • Types of Inspection:
    • Application Layer Gateway
    • Stateful Multilayer Inspection Device
    • Deep Packet Inspection Device
  • Comparison with Traditional Firewalls: NGFWs offer more flexibility by identifying applications rather than just port numbers.

Firewall Rule Configuration

  • Rule Base Evaluation: Rules are evaluated from top to bottom, with specific rules placed higher.
  • Implicit Deny: Any traffic not matching a rule is automatically denied.
  • Access Control Lists (ACLs): Define rules based on source/destination IP, port numbers, application names, etc.

Example Firewall Rules

  • SSH Traffic: Allowed from remote IPs to local port 22.
  • HTTP/HTTPS Traffic: Allowed to local ports 80 and 443.
  • Microsoft Remote Desktop Protocol: Allowed to local port 3389.
  • DNS and NTP Traffic: Allowed based on specific UDP port numbers.
  • ICMP Traffic: Denied.

Network Architecture and Firewall Placement

  • Ingress-Egress Points: Firewalls typically placed at the boundary between the internet and internal networks.
  • Screened Subnets: Used for services accessed by the internet, separating sensitive data.

Intrusion Prevention Systems (IPS)

  • Integration with NGFW: IPS often included as part of a next-gen firewall.
  • Functionality:
    • Monitors traffic in real-time.
    • Uses signatures to detect and block malicious software.
    • Can detect anomalies without specific signatures.
  • Rule Base:
    • Similar to firewall rules, focused on vulnerabilities.
    • Customizable to balance security and reduce false positives.

Example IPS Rules

  • Malware Detection: Based on port numbers and malware names.
  • Anomalies Detection: Can identify generic intrusions like database injections.
  • Group Rules: Allows broad disposition settings by grouping rules.

Full transcript