The layers of defense; Firewalls top to bottom
Saar here, resident engineer at Myriad Supply. Today I’ll be discussing firewalls.
You’re heard the term, maybe even purchased a few. But how does it all work?
A server listens on PORTS if data comes to a PORT (Port 25, for example) then he will send it to the application that is listening for that port.
EMAIL:
Here’s an example:
GOOGLE mail has servers. They are waiting for Email messages to arrive. The way a message from Saar-MX arrives is Saar-MX opens a connection to the GMAIL mail servers.
If you have windows XP you can do this from home too. If you have Windows 7, you have to install telnet. So basically, this opens a connection to smtp.gmail.com {name of the server} on a port. Gmail Will answer.
220 basically means I am ready, just give me the message.
Now Saar-MX will introduce himself and give him the message.
In this case, I am typing this manually so you can see, but an Email Server will do this on the fly for every message. So as you can see, a server listens for a PORT {Layer 4} and sends it to the relevant Software.
This is a what the network looked like when Internet started:
You would put a server on the internet. The server would be wide open. ANYONE could connect to the port. If your email server was not working, we would type telnet client.client.com 25 to test port 25 . If it answered, then we knew the internet was fine and his server was having the problems.
Anyway, this is all a rich target for hackers.
telnet Server port 1000 Now, he can connect to your client database and steal your clients.
This is why Firewalls came along, so you can control WHICH ports get to be exposed to the internet.
See with the Firewall I just blocked port 1000 from the internet.
Now Hackers can’t steal my database of clients.
This is a LAYER 4 stateless firewall.
It blocks PORTS
Okay,
State less.
State Full.
Almost all network devices can run a stateless firewall. This is called an ACL accesslist. Even a switch can run this.
access-list 101 permit tcp host saar.pc.word.com host juniper.com eq vpn
The above is a dumb accesslist basically allow host saar’s PC to access juniper.com VPN
So back in 2000, every IT department had a stateless Firewall and when you wanted to access another companies servers,for example connect to the Juniper Database or similar, you would have to call up the IT guy, he would call up the SECURITY manager (who wasn’t always pleasant), and that guy would add another rule saying you are allowed to do this and that. Basically he would remove a brick from the wall.
Eventually management tired of that guy and came up with a State Full Firewall.
What is State Full?
State Full means you are in a Disco (yes I am from the 80’s) a CLUB for you guys and you work in the CLUB
Your firewall is your bouncer (the nice chap with the mustache down the elevator). Anyway, you leave the building {Club} and tell the bouncer to watch out for when you come back {this is stateful} now you go home change and bring your friends. The bouncer let’s you straight in, because he remembered. A stateless firewall means the bouncer instead says, “Sorry no friends, only you can go in. Those are the rules.” So basically if you got the idea, every time you send something out the bouncer/Firewall creates a TOKEN or a reservation waiting for your return of traffic. This allowed most IT to outsource the IT Security guy as he was barely needed now.
To summarize the above:
Layer 3 firewall – this allows IP addresses in
access-list 101 permit IP 168.36.36.1 to IP 225.68.9.1
Layer 4 firewall – this blocks based on ports.
access-list 101 permit tcp host saar.pc.word.com host juniper.com eq vpn
Layer 4 STATE-FULL firewall
OK, so you went home and brought some friends back to the Myriad supply Club party. Now what happens if some guy on the street attached himself to your party and turns out he is from a competitor club but did not tell you. Now he will tag along and enter your Club, then steal the information!!! (Very bad)
To avoid that we have, LAYER 7 Firewalls or Application Layer firewalls.
The way this works is they look not only at the port 80 {web} but they look DEEPER. For example, if you are surfing to Gmail they will recognize it as Gmail.
This is simple enough, you simply tell the firewall to look for the words- Gmail
Pick any webpage and then go to View Source.
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Gmail</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="application-name" content="Gmail">
<meta name="description" content="Google's approach to email">
<meta name="application-url" content="https://mail.google.com/mail/u/0">
<meta name="google" content="notranslate">
<link rel="canonical" href="https://mail.google.com/mail/" />
<link rel="shortcut icon" href="/mail/u/0/images/favicon2.ico" type="image/x-icon">
<link rel="alternate" type="application/atom+xml" title="Gmail Atom Feed" href="feed/atom">
<script>
This is the beginning of what the GOOGLE servers send to your PC. As you can see it is very easy to program the Firewall to recognize Google.
If link rel=”canonical” href= “https://mail.google.com/mail/” then Permit
Or if I want to block users checking their personal Gmail.
If link rel=”canonical” href= “https://mail.google.com/mail/” then deny.
Some can be harder, they basically have a team of people looking at the source code of websites and applications. Then they create something called a Signature.
If the Source contains:
<meta name=”viewport” content=”width=device-width, initial-scale=1″>
And
<title>Netflix</title>
And
<div class=”nav-wrap”>
Then classify it as Netflix. Now as an IT manager you can say block Netflix at work.
Then the IT security person will type:
IF traffic coming in is NETFLIX then block it.
Now the bouncer sits at the front and even if you surf somewhere and come back with Mr. Netflix he will block him.
So back to the bouncer….
As you know getting good staff is hard.
Layer 3 Firewall is a dumb bouncer he just uses IPs.
Layer 4 Firewall.
Is smarter and uses the Ports.
Layer 4 state-full
is a lot smarter and requires dedicated hardware, like the ASA Cisco, Juniper, Sonicwall and similar.
Layer 7 or application firewall
Require a very smart individual firewall.
The current leader in application firewalling is PALO ALTO, which is why people are buying it left and right. The reason for that is most companies allow their users to go out and surf to many sites. This level of firewall allows them to control what the users come back with.
So for example.
You can surf to Facebook
Which is great,
But then you might have a slow day and want to play some Farmville
Now most people would probably be mature enough not to abuse it.But for big companies with challenged employees this might be an issue.
Layer 7 firewalls can recognize the Change of traffic from Facebook to Farmville and block the Farmville part.
The same with Video. Each Video takes a lot of bandwidth. A phone conversation for example take 1 Mbps and your work surfing take 1 Mbps for email and web.
A video by comparison take 5 Mbps. So as you can see, if everyone at the company was playing some MTV on the PC to pass the time, we would start having to invest in upgrading our bandwidth.
So again this can be controlled. Even videos within an application like facebook can be blocked.
So if you want to try Palo Alto:
The difference is like not simply sticking a security guard and saying he now has security…
So
Layer 3
Layer 4
Layer 4 stateless
Layer 7 granular.
So far so good. These days most IT departments will have very few ports exposed to the internet. Same as a castle will have only a few gates.
For example:
Port 80 is open if they have an internal website at the company.
Port 25 is open if they have an internet Email server
Now they MUST be left open to all internet traffic because if the port 80 is not open, then people can’t access the E-Commerce site {lose business}
And if the port 25 is not open , then Email servers won’t be able to email you {lose business}
You can check, any site you can think of.
https://www.cia.gov/index.html
Non-authoritative answer:
www.cia.gov canonical name = www.cia.gov.edgekey.net.
www.cia.gov.edgekey.net canonical name = e6221.dscna.akamaiedge.net.
Name: e6221.dscna.akamaiedge.net
Address: 23.13.163.36
Now if I go
telnet 23.13.163.36 80 {80 is for port 80 which is the web}
it will answer.
OK, so everybody has OPEN ports if they have any assets like servers/ Email servers etc.
This leaves them open to attack by the Bad guys. This is a DDoS – distributed Denial of Service attack
Let’s have a look at the impregnable castle. Looks impressive protected by the Knights Templar and the Jedis. A DDoS Attack on this castle will look like this.
You line up 200,000. Each one walks up to the gate and says let me in, or in our case basically connect to port 80 and say, send me the pages on your website.
This can cause Memory Buffer Over-Run. = When the guards at the entry can’t process all the people so they simply just give up and say “Everyone can come in, no need to show us IDs” This can cause Blocking= Real people trying to get in will have to wait in line. After an hour they will quit and give up, then go back to their lords and say they couldn’t make it.
This can cause the ISP to kick you out = ISPs don’t like clients who get attacked as it wastes their resources, they usually tell them to go to another Colo or ISP.
Anyway, if you keep the attack long enough, no one will be able to get into the castle and if they leave they won’t be able to come back in.
This will cause the castle to starve and all the knights will be useless against this.
The same with Firewalls……..
So to protect against this you have something called DDoS protection.
This is done either on the firewall itself Juniper Screens
Or
You buy a dedicated appliance like ARBOR/ Juniper
So if you want to use an analogy use a castle.
The Arbor is the outside security Guard. He gets rid of people that look like time wasters or DDoS attackers. The second line of defense is the Firewall. The firewall will allow only certain ports. For example it will ask “What is thy business pilgrim” and if you say “I’m here for the market” then you get in. port 80. If you answer I am here to go to church , it kicks you out since there is no church port 9090
Now.You have A firewall or a guard at the gate. What happens if the Guard is not well and dies? Well if you had Dynamic support, Sonicwall would send you another guard.
What happens if he can’t get new ideas in his thick skull?
If you had the above support, you could download updates. Then it would be harder to outsmart him.
Well let’s say people keep bringing knives and then stabbing each other in the market over one affront or the next one.
If you get the Content filtering service, then the guard can go through their belongings and confiscate any knives or swords.No more dueling over the hand of so and so maiden or drunk fights over which NBA team is better.
Well, the black plague is upon us. You don’t want the town to get infected now do you??
If you buy the license for the guard, he will be able to stop all people and tell them: Open wide, Ahhhhhhhhh, stick your tongue out.
Show me your armpits, for example people who had the plague had tumors. So a diligent guard could save your city from the ravages of middle ages…….
So buy ANTI-VIRUS
Ever see those time wasters, snake oil and potion sellers?
Yes rub this mud on your hand and your skin will be glowing…….
Drink this snake oil after you work out and you will look like Dwayne Johnson in 5 weeks…..
No sense in having the whole city flooded with them.
buy the
ANTI-SPAM license
SRX650-S2-AS-5 Five year subscription for Juniper-Sophos Anti-Spam updates on SRX 650 SRX650
And the guard will scan those people with a few intelligent questions and drop them to the moat.
There is always more you can buy.
A VPN – Virtual Private Network.
Let’s say I live in my cabin in the woods.
Well I ran out of money for snake oil, so I send my servant to the town with the code word LET ME IN I AM THE KINGS SON.
and voila the servant is in. The guard basically recognized the code and let him in.
IPS intusion prevention and IDS intrusion detection:
Let’s look at the castle.
Now an IDS/IDP/IPS appliance will usually go behind the firewall or can be a license in the firewall. It will then be another CPU in the firewall.
SRX650-IDP-5 5 year license for IDP updates for SRX 650 SRX650
The IDS basically opens up the internet Packets as they arrive and looks inside them or it looks at them.
Now the IDP/IPS will have a list of no-no’s or signatures. So for example:
Let’s say you dress up as a monk. You pass the DDoS guards, you pass the firewall guy. No virus when you coughed.
So all is well. The guy says were are you going? You say, oh well to the Catholic church.
Now the IDS/IDP/IPS stops you and says, Hello Brother, can I search you. Then he opens your stuff and sees a Koraan.
Well since he has his signatures he knows that Monk Traffic to the Catholic church + Koraan = trouble, something weird.
So an IDS intrusion detection system. Will send an Alert to the IT manager and then let the guy through, {not very useful} but at least as
an IT manager, you know what is going on.
An IPS intrusion PROTECTION system will send an alarm and proceed to whip out his sword and stab the monk.
An IDP is Intrusion detection AND protection.
Anyway today most people mix them up and IDS is not really used.
As there is no sense in getting an alert, “your house is on fire” and arriving to a burned down house.
So as you can see there is a system here.
Layers of defense.
1. DDoS protection – gets rid of all the DDoS people, for example if 10,000 people came from one city in 5 minutes. Then it must be an attack.
2. Firewall protection – Basically the big wall with only one or two openings.
3. Content Filtering – no weapons allowed in town
4. Anti-Virus protection – please cough and show me your skin
5. Anti-Spam protection – is that snake oil and communist pamphlets you have there ??
6. Application Protection – did you bring that young man with you, you know your dad doesn’t approve of you dating. Send him back to the farm and get in.
7. IPS – So wait, you speak Chinese only but you claim you are Japanese albino ???? too fishy, let me alert my managers……
As you can see these are a lot of layers, and we can provide each layer with an appliance .
Arbor for DDoS.
Cisco for Firewall
Anti-Virus appliance
Anti-Spam appliance
IPS appliance.
Or you can get devices that do all in one or as the marketing people call them NEXT GEN firewalls short for Next Generation firewalls.
Let’s see how it works for you people.
Let’s say you want a Juniper SRX 650. You want to protect your 500 users who work in the New York office. You have a website where your clients log in to check their portfolio and give buy orders.
On the other hand, If you can articulate the value of the defenses, then DDoS protection to protect your website from collapsing due to attacks by extortion crews out of East Europe. A little harder as most people pay off the extortionist crew and never bother reporting it. Since you can’t apply US law in Russia or abroad.{ as evident from that snitch/whistleblower hanging in Russia making fun of the US }
Anti-Virus for 5 years
SRX650-K-AV-5-R Five year renewal subscription for Juniper-Kaspersky AV updates on SRX 650 SRX650
Anti-Spam
SRX650-S2-AS-5-R Five year renewal subscription for Juniper-Sophos Anti-Spam updates on SRX 650 SRX650
IPS
SRX650-IDP-5-R 5 year renewal subscription for IDP Signature service for SRX 650 SRX650
Application security
SRX650-APPSEC-A-5 5 year Subscription for Application Security and IPS updates for SRX650 SRX650
VPN clients for home users.
SRX-RAC-100-LTU Dynamic VPN Service: 100 simultaneous users SRX650, SRX220, SRX240, SRX550
Support
SV3-ND-SRX650 Juniper Care 3YR Prepaid NextDay Support for SRX650 SRX650
___________________________________________________________________________________________________________________________________________________________________
Saar Harel is a resident Engineer at Myriad Supply, and has been in the Networking Field for over 20 years. You can check out his Google+ and ask him questions!