Firewall Architectures

Firewalls provide a layer of protection by analyzing data leaving and entering a network

They are placed between application servers and routers

Firewalls can be used to either control access to a single host (host-based firewall) or an entire network (network firewall)

Network firewalls are placed in front of a router, and host-based firewalls run on the machine that it blocks traffic to and from

Firewalls work by:

  1. Intercepting traffic before it reaches its target
  2. Inspecting the source destination address and ports, TCP flags, and other features of incoming packets
  3. Allowing packets that from trusted source and deny packets that don’t

Firewalls are multifunctional network security appliance that operates at multiple layers of the OSI model

Four different types of Firewalls:

MAC Layer Firewall

MAC layer firewalls operate on Layer 2 and filter based on source and destination MAC Addresses

Routers compare the MAC address of a device against an approved list

MAC firewalls can secure the network from novice attackers, but it can be easily bypassed by MAC spoofing

Packet-Filtering Firewalls (Stateless)

Stateless packet-filtering firewalls operate between layer 3 and 4

They statically evaluate the contents of packets and do not keep track of the state of network connections (stateless)

Use rules based on individual packets:

Stateless packet-filtering firewalls create checkpoints within a router and examine packers as they progress through an interface

They are not resource intensive and work best with small networks, however, they are easy to subvert compared to more robust firewalls. They also do not support custom based rule sets

Packet-Filtering Firewalls (Stateful)

Stateful packet-filtering firewalls operate on Layer 3 and 4

They can determine if a packet is:

Stateful firewalls examine the connection as a whole, looking at streams of packets

They cannot understand application protocols, and therefore can’t determine what the underlying traffic is doing

They offer transparent mode, which allows direct connections between clients and servers, but are resource-intensive

Circuit-level Firewalls

Circuit-level firewalls operate at Layer 5

They work by verifying the three-way TCP handshake

They only look at the header of the packet, and once the circuit is allowed to establish an end-to-end connection, all data is tunneled between parties

TCP handshake checks can verify the following about a source:

They can quickly and easily approve and deny traffic without consuming significant computing resources, but do not check the contents of the packet, which could contain malware

Application (Proxy) Firewalls

Application or proxy firewalls operate at Layer 3 through 7

They use deep packet inspection and stateful inspection to determine if incoming traffic is safe or harmful

They intercept all traffic on its way to its final destination, without the data source knowing

They obscure the destination from the source


Uncomplicated Firewall (UFW): Multifunctional firewall that provides stateless and stateful packet filtering

It is a standard Linux firewall

UFW Features:

UFW Setup

ufw reset: Resets all UFW rules to factory defaults

ufw status: Prints current UFW status

ufw enable: Start the firewall and update rules

ufw reload: Reloads the firewall

ufw default deny incoming: Blocks all incoming connections

ufw default allow outgoing: Allow all outgoing connections

ufw allow: Open specific ports

ufw deny: Close specific ports

ufw delete: Delete rules

ufw disable: To shut down the firewall


firewalld: Dynamically managed firewall that uses zones to divide network interfaces into groups of shared trust level

Zones: Organizations of rules. Each zone contains several rules

Through zones, firewalld can manage rulesets dynamically, without breaking existing sessions

Rules and configurations can be tested in runtime environments:

firewalld Setup

To start firewalld:

sudo /etc/init.d/firewalld start

To view Zones:

firewall-cmd --list-all-zones

To bind a zone to a physical interface:

firewall-cmd --zone=work --change-interface=eth1

To verify a zone has successfully been bound:

firewall-cmd --zone=work --list-all

To list all currently running services inside firewalld:

firewall-cmd --get-services

To block all traffic from a specific IP Address:

firewall-cmd --zone=work --add-rich-rule='rule family="ipv4" source address="" reject'

Rules are erased when the firewall reboots. Append the --permanent option to avoid this

To block ICMP pings from entering the network:

firewall-cmd --zone=work --add-icmp-block=echo-reply --add-icmp-block=echo-request

Testing Rules with nmap

nmap: The industry-standard network scanner

The following information can be acquired via network scans:

nmap Setup

To enumerate OS names and versions:

nmap -O -p 1-500 --osscan-guess

To enumerate specific services and daemons that are running on open ports:

nmap -sV

To fingerprint the type of operating system running on a host by enumerating information gathered through open ports:

nmap -A -T4

To determine the true state of a port:

nmap -sU -F

Use the -sA flag to probe packet that only has the ACK flag sent. This is used to determine if a firewall is stateful, meaning it will only accept connections to previously established connections

Introduction to Intrusion Detection and Snort

An IDS detects and alerts of an attack

IDS are passive and do not respond to attacks. They only log and document information

Two types of IDS:

Network Intrusion Detection (NIDS): Filters an entire subnet on a network

Matches all traffic to a known library of attack signatures

Host-based Intrusion Detection (HIDS): Runs locally on a host-based system or user’s workstation or server

Acts as a second line of defense against malicious traffic that successfully gets past NIDS

Intrusion Prevention System

Intrusion Prevention System (IPS): Has the same functionality as an IDS, but can also respond to attacks


Network Tap: Hardware device that provides access to a network

SPAN (Port Mirroring): Sends a mirror image of all network data to another physical port

IPS Connects inline with the flow of data, typically between the firewall and network switch

IDS Alerts

Alert: Message that is sent to an analyst’s console as an indicator of attack (IOA)

An IDS system generates alerts when a Snort rule detects malicious traffic:

Indicators can either be:


Snort is an open-source IDS solution

Network Security Monitoring (NSM): The process of identifying weaknesses in a network’s defense

Snort Configuration Modes:

Snort Rules

Operates by:

  1. Reading a configuration file
  2. Loading the rules and plugins
  3. Capturing packets and monitoring traffic for patterns specified in rules
  4. When traffic matches a rule pattern, generating an alert and logging the matching packet

Rules can direct Snort to monitor the following:


alert ip any any -> any any {msg: "IP Packet Detected";}

This rule logs the message IP Packet detected when it detects an IP Packet

Networking Security Monitoring and Security Onion

Network Security Monitoring

Network security monitoring use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised

NSM Strengths:

NSM Weaknesses:

NSM Stages and Process


An alert is generated

Collection: The event is observed and the data is stored in the form of a PCAP file

Analysis: The alert data is identified, validated, documented, and categorized according to its threat level


A security team responds to a security incident

Escalation: All relevant parties are notified about the security incident

Resolution: The process of containment, remediation, and any additional necessary response

Security Onion

Security Onion: A network security monitoring platform platform that provides context, intelligence, and situational awareness of a network

Sguil: Pulls alert data from Snort, allowing us to more thoroughly analyze alerts

Transcript: Provides a view of PCAP transcripts that are rendered with TCP flow

NetworkMiner: Performs advanced network traffic analysis through extraction of artifacts contained in PCAP files

Sguil Alert Panel

ST or Status: Colors indicate severity levels of real-time events

Alert ID: A randomly generated numerical ID created by Sguil

Source IP: IP Address of the source identified by the alert

Event Message: The message generated by the Snort rule option

Sguil Snort Rule and Packet Data

Snort Rule: Snort NID engine that generated alert data when traffic matched one of its rules

Packet Data: Network packet analysis

Alert: FTP File Extraction

Sensor: Device that detects the event

DriveBy Attack: User gets infected by visiting a web page

To use NetworkMiner, right-click on the Alert ID and select NetworkMiner

The Files tab lists the files downloaded within the attack

To view the file, right-click on the file and select Open Folder

Virus Total can be used to check if a file is malicious

Enterprise Security Management

Command and Control (C2) Beacon

C2 servers are used to create a connection from an infected host to callback back to the server

Callbacks, referred to as keep alives serve as beacons that keep the back channel open to enable access in and out of the network at all times

Snort rules can include a reference URL in the Snort rule option, which can help network defenders establish TTPs regarding their attackers

Enterprise Security Monitoring

Enterprise Security Monitoring includes endpoint telemetry


Firewalls and NSMs cannot access encrypted traffic

Malware is commonly sent in an encrypted state to bypass IDS detection, but cannot activate in the encrypted state

ESMs use OSSEC to provide visibility at the host level, where malware infection takes place after its decrypted

Endpoint Telemetry is host-based monitoring of system data

OSSEC agents are deployed to hosts to collect syslog data

Security admins use three other tools to fully analyze packet captures:

Flow of Data:

  1. OSSEC generates an alert
  2. OSSEC sends alert data gethered from syslog to OSSEC server
  3. OSSEC-generated syslog alert is written to Logstash for storage
  4. Log data is ingested into the Elastisearch analytics engine
  5. Users interact with data through Kibana


To change date range:

To view an alerts listed by frequencey, select the Queue column

Select the red number to view the Snort Rule. Select it again to list the alerts

The Views tab displays traffic as it flows between a source and destination IP

Thicker bands indicate higher volumes of traffic

The Summary tab shows an overview of the alerts


To search for an IP Address in Kibana from Sguil, right click the alert and select Kibana > SrcIP

To change the data range, select the time range at the top right of the window

The Magnifying Icon will add the item as a filter

+: Include only

-: Exclude

Threat Intelligence

Computer and Incident and Response Teams (CIRT), are responsible for establishing threat intelligence cards, which document TTP’s used by attackers to infiltrate a network

Threat intelligence cards are shared among the cyber defense community, allowing organizations to benefit from the lessons by others

The triad of actors, capability, and intent informs decision making, enhanced network defense operations, and effective tactical assessments:

Leave a Reply

Your email address will not be published.