Implementing Network Security Appliances

# Implement Firewalls and Proxy Servers ## Packet Filtering Firewalls - they look at source and destination port and IP - Deny (block or drop), log or accept - Check headers of packets - Source and destination IP allowed? - Protocol ID, Type (TCP, UDP, ICMP, routing protocols and so on) - inbound, outbound, or both - stateless operation - DOES NOT LOOK AT PACKET CONTENTS - layer3 and layer 4 ## Stateful Inspection Firewall - if communication inside a network, firewalls will probably let it out and then back in (return traffic) - Initiated outside it is blocked ## iptables Linux uses iptables as a firewall ## Firewall Implementation - Application based firewall (host based) - can look at everything in a packet - protects the end system from anyone else on the network - Fire wall appliances - Routed (L3) - Bridged/transparent (L2) - Router/firewall (protects from internet) ## Proxies and Gateways - **Forward proxy server** - Proxy opens connections with external servers on behalf of internal clients - Application-specific filters - non-transparent and transparent proxies - User authentication - **Reverse proxy** - Proxy opens connections with internal servers on behalf of external clients - outside clients have no direct connection to internal resources. Another level of separation for security. - Proxy owner can look at all traffic, block certain sites, even have a firewall in there to protect the network and users ## Access Control Lists (ACL) - Least access - Top to bottom processing order - **Implicit deny** - Explicit deny all - Criteria for rules (tuples) - Documenting and testing configuration ## Network Address Translation - allows for multiple private IP addresses from one network going out thru ONE public IP - uses ports to make sure data goes to the right host. - Source NAT - Static and dynamic NAT - Overloaded NAT/Network Address Port Translation (NAPT)/Port address translation (PAT) - Destination NAT/port forwarding - Advertise a resource using a global IP address but forward it to a local IP address - Usually forward specific ports only ## Virtual Firewalls - Hypervisor-based - Filtering built into the hypervisor or cloud service - Virtual appliance - Deployed as a virtual machine to the cloud - Multiple Context - Firewall appliance running multiple instances - East-west security design and micro segmentation ## Open-source vs Proprietary Firewalls - Source code inspection and supply chain issues - Wholly proprietary appliance OS - UNIX or Linux kernel with proprietary features - Wholly open-source - Support arrangements and subscription features # Implement Network Security Monitoring ## Network-Based Intrusion Detection Systems - **Intrusion Detection System (IDS)** - Network sensor captures traffic (NIDS) -> can only see a little bit of the packet - Host based (HIDS) -> typically able to see the entire OSI model stack - Detection engine performs real-time analysis of indicators - Passive logging/alerting ## TAPs and Port Mirrors - Sensor placement - Inside firewall - in front of application servers - managing volume of traffic/alerts - Switched port analyzer (SPAN)/mirror port - Passive test access point (TAP) - Active TAP - Aggregation TAP ## Network-Based Intrusion Prevention Systems - **DETECTS AND PREVENTS AN ATTACK** - IPS - Active Response to Threats - Reset session - Apply firewall filters on the fly to shun traffic - Bandwidth throttling - Packet modification - Run a script or other process - NEEDS TO BE IN LINE on the network - In-between the firewall and all other resources for example - Has antivirus scanning/content filtering - Downsides: - Maybe slow things down and bottleneck the network since all traffic has to flow through it and it has to make a decision on what todo with it - Single point of failure ## Signature Based Detection - Analysis engine - Signature-based detection - Pattern matching - Database of known attack signatures - Must be updated with latest definitions/plugins/feeds - Many attack tools do not conform to specific signatures anymore ## Behavior and Anomaly-Based Detection - Behavioral-based detection - Establish baseline as normal traffic - Put system in learning mode - Network behavior and anomaly detection (NBAD) - Heuristics (learning from experience) - Statistical Model of behavior - Machine learning assisted analysis - user and entity behavior analytics (UEBA) - Network traffic analysis (NTA) - Anomaly-based detection as irregularity in packet construction ## Next-generation Firewalls and Content Filters ![[Pasted image 20230703095804.png]] ## Host-Based Intrusion Detection Systems (HDIS) - Protects end ystems - File integrity monitoring (FIM) - Cryptographic hash or file signatures verifies integrity of files - Compare hashes manually or verify signature with publisher's public key - Windows file protection/s f c - Tripwire and OSSEC ## Web Application Firewalls (WAF) - Inspects code in HTTP packets - specific to web servers - Matches suspicious code to vulnerability database - Can be implemented as software on host or as appliance # Summarize the Use of SIEM ## Monitoring Services - Packet capture - Sniffers and flow analysis - Traffic and protocol statistics - packet analysis - Network monitors - Appliance state data - Heartbeat availability and monitoring - Logs - System logs to diagnose availability issues - Security logs to audit access ## Security Information & Event Management (SIEM) - Kind of like the mothership for the security data in an environment - Log collection - Agent-based - Local agent to forward logs - Listener/collector - Protocol-based remote log forwarding (syslog) - Sensor - Packet capture and traffic flow data - Log aggregation - Consolidation of multiple log formats to facilitate search/query and correlation - Normalization of fields - Time synchronization ## Analysis and Report Review - Correlation - Relating security data and threat intelligence - Alerting of indicators of compromise (IOC) - Basic rules versus machine learning - User and entity behavior analytics (UEBA) - Sentiment analysis - Machine interpretation of natural language - Emotion AI - Security orchestration, automation, response (SOAR) ## File Manipulation - `logger` - write input to system log ## ReGEX and grep - ReGEX expression syntax - Search operators, quantifiers, logic statements, and anchor/boundaries - `grep` - searches file contents - simple string amtching or regex syntax