Firewall Architectures

Firewalls provide a layer of protection by analyzing data leaving and entering a network

They are placed between application servers and routers

Firewalls can be used to either control access to a single host (host-based firewall) or an entire network (network firewall)

Network firewalls are placed in front of a router, and host-based firewalls run on the machine that it blocks traffic to and from

Firewalls work by:

1. Intercepting traffic before it reaches its target
2. Inspecting the source destination address and ports, TCP flags, and other features of incoming packets
3. Allowing packets that from trusted source and deny packets that don’t

Firewalls are multifunctional network security appliance that operates at multiple layers of the OSI model

Four different types of Firewalls:

• MAC
• Packet filtering
• Circuit-level Gateways
• Application Gateways

MAC Layer Firewall

MAC layer firewalls operate on Layer 2 and filter based on source and destination MAC Addresses

Routers compare the MAC address of a device against an approved list

MAC firewalls can secure the network from novice attackers, but it can be easily bypassed by MAC spoofing

Packet-Filtering Firewalls (Stateless)

Stateless packet-filtering firewalls operate between layer 3 and 4

They statically evaluate the contents of packets and do not keep track of the state of network connections (stateless)

Use rules based on individual packets:

• Source and destination IP Address
• Source and destination port information
• IP Protocols
• Ingress and Egress of interface

Stateless packet-filtering firewalls create checkpoints within a router and examine packers as they progress through an interface

They are not resource intensive and work best with small networks, however, they are easy to subvert compared to more robust firewalls. They also do not support custom based rule sets

Packet-Filtering Firewalls (Stateful)

Stateful packet-filtering firewalls operate on Layer 3 and 4

They can determine if a packet is:

• Trying to establish a new connection (NEW state)
• Part of an existing connection (ESTABLISHED)
• Is neither new or existing (ROUGUE)

Stateful firewalls examine the connection as a whole, looking at streams of packets

They cannot understand application protocols, and therefore can’t determine what the underlying traffic is doing

They offer transparent mode, which allows direct connections between clients and servers, but are resource-intensive

Circuit-level Firewalls

Circuit-level firewalls operate at Layer 5

They work by verifying the three-way TCP handshake

They only look at the header of the packet, and once the circuit is allowed to establish an end-to-end connection, all data is tunneled between parties

TCP handshake checks can verify the following about a source:

• Unique session identifier
• State of the connection
• Sequencing information

They can quickly and easily approve and deny traffic without consuming significant computing resources, but do not check the contents of the packet, which could contain malware

Application (Proxy) Firewalls

Application or proxy firewalls operate at Layer 3 through 7

They use deep packet inspection and stateful inspection to determine if incoming traffic is safe or harmful

They intercept all traffic on its way to its final destination, without the data source knowing

They obscure the destination from the source

UFW

Uncomplicated Firewall (UFW): Multifunctional firewall that provides stateless and stateful packet filtering

It is a standard Linux firewall

UFW Features:

• Host-Based: Most commonly option used on hosts
• Logging: Generate multi-level logs, providing great insight into attacks
• Remote Management: Remote management through protocols such as SSH
• Rules for Allow / Deny: Examines source and destination IP Addresses, port numbers, and packet types
• Rate-Limiting: Supports rate-limited connections to protect from brute force attacks

UFW Setup

ufw reset: Resets all UFW rules to factory defaults

ufw status: Prints current UFW status

ufw enable: Start the firewall and update rules

ufw reload: Reloads the firewall

ufw default deny incoming: Blocks all incoming connections

ufw default allow outgoing: Allow all outgoing connections

ufw allow: Open specific ports

ufw deny: Close specific ports

ufw delete: Delete rules

ufw disable: To shut down the firewall

firewalld

firewalld: Dynamically managed firewall that uses zones to divide network interfaces into groups of shared trust level

Zones: Organizations of rules. Each zone contains several rules

Through zones, firewalld can manage rulesets dynamically, without breaking existing sessions

Rules and configurations can be tested in runtime environments:

• Runtime Configurations: Valid until the next system reboot. Can be used to test new configurations that can be seamlessly saved to permanent environment
• Permanent Configurations: Loaded with each reboot and reload. Become the current runtime environment until new runtime configurations are made

firewalld Setup

To start firewalld:

sudo /etc/init.d/firewalld start

To view Zones:

firewall-cmd --list-all-zones

To bind a zone to a physical interface:

firewall-cmd --zone=work --change-interface=eth1

To verify a zone has successfully been bound:

firewall-cmd --zone=work --list-all

To list all currently running services inside firewalld:

firewall-cmd --get-services

To block all traffic from a specific IP Address:

firewall-cmd --zone=work --add-rich-rule='rule family="ipv4" source address="10.10.0.10" reject'

Rules are erased when the firewall reboots. Append the --permanent option to avoid this

To block ICMP pings from entering the network:

firewall-cmd --zone=work --add-icmp-block=echo-reply --add-icmp-block=echo-request

Testing Rules with nmap

nmap: The industry-standard network scanner

The following information can be acquired via network scans:

• Name and version of Operating Systems (OS fingerprinting)
• All open and closed ports
• All filtered ports (ports behind a firewall)
• Types of services running on a specific port
• Firewalking: Network analysis that determines which Layer 4 protocols a specific firewall allows

nmap Setup

To enumerate OS names and versions:

nmap -O -p 1-500 --osscan-guess 172.17.18.72

• -O: OS Detection
• -p 1-500: Scans ports 1 through 500

To enumerate specific services and daemons that are running on open ports:

nmap -sV 172.17.18.72

• -sV: Enables version detection Can be compared to CVE Website for exploitation development

To fingerprint the type of operating system running on a host by enumerating information gathered through open ports:

nmap -A -T4 172.17.18.72

• -A: Enables OS detection, version detection, script scanning, and traceroute
• -T4: Performs fast detection

To determine the true state of a port:

nmap -sU -F 172.17.18.72

• -sU: Performs a UDP scan
• -F: Performs a fast scan

Use the -sA flag to probe packet that only has the ACK flag sent. This is used to determine if a firewall is stateful, meaning it will only accept connections to previously established connections

Introduction to Intrusion Detection and Snort

An IDS detects and alerts of an attack

IDS are passive and do not respond to attacks. They only log and document information

Two types of IDS:

• Signature-based IDS: Compares patterns of traffic to predefined signatures
  • Good for identifying well-known attacks
  • Can be updated as new attack signatures are released
• Anomaly-based IDS: Compares patterns of traffic against a well-known baseline
  • Good for detecting suspicious traffic that deviates from well-known baselines
  • Excellent at detecting when attackers probe and sweep a network

Network Intrusion Detection (NIDS): Filters an entire subnet on a network

Matches all traffic to a known library of attack signatures

Host-based Intrusion Detection (HIDS): Runs locally on a host-based system or user’s workstation or server

Acts as a second line of defense against malicious traffic that successfully gets past NIDS

Intrusion Prevention System

Intrusion Prevention System (IPS): Has the same functionality as an IDS, but can also respond to attacks

IDS vs. IPS

Network Tap: Hardware device that provides access to a network

SPAN (Port Mirroring): Sends a mirror image of all network data to another physical port

IPS Connects inline with the flow of data, typically between the firewall and network switch

IDS Alerts

Alert: Message that is sent to an analyst’s console as an indicator of attack (IOA)

An IDS system generates alerts when a Snort rule detects malicious traffic:

Indicators can either be:

• Indicator of Attack (IOA): Indicators of attack indicate attacks happening in real time
• Indicator of Compromise (IOC): Indicators of compromise indicate previous malicious activity

Snort

Snort is an open-source IDS solution

Network Security Monitoring (NSM): The process of identifying weaknesses in a network’s defense

Snort Configuration Modes:

• Sniffer Mode: Reads network packets and displays them on screen
• Packet Logger Mode: Performs packet captures by logging all traffic to disk
• Network IDS Mode: Monitors network traffic, analyzes it, and performs specific actions based on administratively defined rules

Snort Rules

Operates by:

1. Reading a configuration file
2. Loading the rules and plugins
3. Capturing packets and monitoring traffic for patterns specified in rules
4. When traffic matches a rule pattern, generating an alert and logging the matching packet

Rules can direct Snort to monitor the following:

• OSI Layer
• Source and Destination Address
• Byte Sequences

Example:

alert ip any any -> any any {msg: "IP Packet Detected";}

This rule logs the message IP Packet detected when it detects an IP Packet

Networking Security Monitoring and Security Onion

Network Security Monitoring

Network security monitoring use a variety of data analysis tools to detect and stop threats after most front-end layers are compromised

NSM Strengths:

• Track adversaries through a network and determine intent
• Acquire intelligence and situational awareness
• Be proactive by identifying vulnerabilities
• Be reactive through incident response and network forensics
• Provide insights about advanced persistent threats
• Uncover and track malware

NSM Weaknesses:

• Cannot read encrypted traffic
• Powerful hardware and CPU requirements mean higher costs
• Difficulty reading radio transmissions
• Invasive process that monitors and records all network data
• Placement of an NSM can be limited at certain areas of the network

NSM Stages and Process

Detection

An alert is generated

Collection: The event is observed and the data is stored in the form of a PCAP file

• Host Data
• Net Data
• Application Logs
• Data from third party
• Data from constituent

Analysis: The alert data is identified, validated, documented, and categorized according to its threat level

• IOC-centric analysis, or “matching”
• IOC-free analysis, or “hunting”

Response

A security team responds to a security incident

Escalation: All relevant parties are notified about the security incident

• Constituent notification
• New IOC creation
• New collection requirement
• New analysis requirement

Resolution: The process of containment, remediation, and any additional necessary response

• Constituent response
• Additional response
• Collection improvement
• Analysis improvement

Security Onion

Security Onion: A network security monitoring platform platform that provides context, intelligence, and situational awareness of a network

Sguil: Pulls alert data from Snort, allowing us to more thoroughly analyze alerts

Transcript: Provides a view of PCAP transcripts that are rendered with TCP flow

NetworkMiner: Performs advanced network traffic analysis through extraction of artifacts contained in PCAP files

Sguil Alert Panel

ST or Status: Colors indicate severity levels of real-time events

Alert ID: A randomly generated numerical ID created by Sguil

Source IP: IP Address of the source identified by the alert

Event Message: The message generated by the Snort rule option

Sguil Snort Rule and Packet Data

Snort Rule: Snort NID engine that generated alert data when traffic matched one of its rules

Packet Data: Network packet analysis

Alert: FTP File Extraction

Sensor: Device that detects the event

DriveBy Attack: User gets infected by visiting a web page

To use NetworkMiner, right-click on the Alert ID and select NetworkMiner

The Files tab lists the files downloaded within the attack

To view the file, right-click on the file and select Open Folder

Virus Total can be used to check if a file is malicious

Enterprise Security Management

Command and Control (C2) Beacon

C2 servers are used to create a connection from an infected host to callback back to the server

Callbacks, referred to as keep alives serve as beacons that keep the back channel open to enable access in and out of the network at all times

Snort rules can include a reference URL in the Snort rule option, which can help network defenders establish TTPs regarding their attackers

Enterprise Security Monitoring

Enterprise Security Monitoring includes endpoint telemetry

OSSEC

Firewalls and NSMs cannot access encrypted traffic

Malware is commonly sent in an encrypted state to bypass IDS detection, but cannot activate in the encrypted state

ESMs use OSSEC to provide visibility at the host level, where malware infection takes place after its decrypted

Endpoint Telemetry is host-based monitoring of system data

OSSEC agents are deployed to hosts to collect syslog data

Security admins use three other tools to fully analyze packet captures:

• Elasticsearch: Restful search and analytics engine capable of addressing thousands of data points seen within network traffic
• Logstash: Data processing pipeline that ingests data from many sources at the same time by transforming it and sending it to designated log files
• Kibana: Visualization interface

Flow of Data:

1. OSSEC generates an alert
2. OSSEC sends alert data gethered from syslog to OSSEC server
3. OSSEC-generated syslog alert is written to Logstash for storage
4. Log data is ingested into the Elastisearch analytics engine
5. Users interact with data through Kibana

Squert

To change date range:

To view an alerts listed by frequencey, select the Queue column

Select the red number to view the Snort Rule. Select it again to list the alerts

The Views tab displays traffic as it flows between a source and destination IP

Thicker bands indicate higher volumes of traffic

The Summary tab shows an overview of the alerts

Kibana

To search for an IP Address in Kibana from Sguil, right click the alert and select Kibana > SrcIP

To change the data range, select the time range at the top right of the window

The Magnifying Icon will add the item as a filter

+: Include only

-: Exclude

Threat Intelligence

Computer and Incident and Response Teams (CIRT), are responsible for establishing threat intelligence cards, which document TTP’s used by attackers to infiltrate a network

Threat intelligence cards are shared among the cyber defense community, allowing organizations to benefit from the lessons by others

The triad of actors, capability, and intent informs decision making, enhanced network defense operations, and effective tactical assessments: