Lab-05-Manual
advertisement
Lecture 5: Windows Firewall CyberPatriot Lab Manual Lecture 5: Windows Firewall Table of Contents Introduction to Firewalls ............................................................................................................................... 1 Why Firewalls? .......................................................................................................................................... 2 Location of Firewalls ..................................................................................................................................... 2 Using a Demilitarized Zone (DMZ) ............................................................................................................ 3 Types of Firewalls.......................................................................................................................................... 4 Packet Filtering [2] .................................................................................................................................... 4 Stateful Inspection Filtering Example [4] .............................................................................................. 4 Application & Proxy .................................................................................................................................. 5 Unified Threat Management (UTM) and Next-generation Firewalls (NGFWs) ........................................ 6 Network Location Awareness ....................................................................................................................... 6 Public Network .......................................................................................................................................... 6 Private Network ........................................................................................................................................ 7 Domain Network ....................................................................................................................................... 7 Turning Windows Firewall On and Off: ......................................................................................................... 9 Allowing Programs: ..................................................................................................................................... 10 Introduction to Windows Firewall with Advanced Security: ...................................................................... 12 Configuring the Action Center .................................................................................................................... 23 Using Windows Defender ........................................................................................................................... 23 Configuring Windows Defender.................................................................................................................. 25 References .................................................................................................................................................. 30 Introduction to Firewalls Firewalls can be implemented in hardware, software or both. For example ASIC1 chips found in TCP/IP routers and layer 3 switches implement hardware firewalls. Hardware firewalls are typically high in cost, difficult to configure and tricky to upgrade. While lower cost hardware firewalls can be found in home routers it still remains that software firewalls are cheaper and more robust to operate. 1 Application Specific Integrated Circuitry (ASIC) are very fast integrated circuits customized for a specific use rather than general purpose circuity like a microprocessor. ASIC sizes can range from thousands to millions of logic gates. In ASIC-based firewalls the ASIC takes care of real time packet filtering while the CPU takes care of various configuration, data collection and user interface tasks. [6] 1 Lecture 5: Windows Firewall CyberPatriot Lab Manual Protected a network by identifying and removing unwanted network traffic from passing through it. Firewalls are bidirectional in that they can prevent unwanted traffic from either leaving or entering the network. These are called inbound and outbound rules respectively. Further some firewalls support connection-specific rules. These rules are applied to specific types of connections. This allows you to enable specific TCP2 or UDP3 ports. Windows offers this functionality through Windows Firewall with Advanced Security (WFAS). [1] Why Firewalls? When most people think of hackers they think of someone sitting at a computer attempting to steal information from a computer system. However this represents a very small portion of the total network attacks. [2] In fact the majority of network attacks are the result of automated software called worms and viruses. They are opportunistic in nature (preferring systems with lack of security or easily exploitable vulnerabilities) and find targets at random. If a worm or virus does not find a security vulnerability on a system it will instead look for other systems to attack and spread. In this case you would become one of the “bad guys.” A firewall is a tool that can be used to reduce the chances of infection and hinder the ability of a virus or worm to spread. Location of Firewalls In a typical corporate network architecture firewalls are located at the border, perimeter and internal networks. 1. The perimeter firewall faces between the internet and the DMZ of a corporate network. It provides the initial layer of protection. These firewalls are typically high performance and provide basic packet filtering. 2. The internal firewall provides protection between internet facing services of a corporate network such as email and web servers and the internal network. This firewall provides deep filtering of packets, prevents information from leaking and can provide proxy services. Typical Properties of Internal Firewalls 1. Management and control of network traffic using stateful packet inspection. This firewall recognizes connections between clients and servers. 2. Provide additional services such as caching, single sign-on, authenticated and encrypted communications (IPSec) and NAT. For example the Microsoft Internet Security and Acceleration (ISA) server. 2 TCP or Transmission Control Protocol [5] is a core protocol of IP which provides reliable, in-order and errorchecked delivery of a data stream. TCP exists in the Transport (5th) Layer of the OSI model. 3 UDP or User Datagram Protocol is a core protocol of IP which provides simple port-specific communication. UDP provides no guarantee on the in order delivery of packets. UDP does support trivial checksums. UDP, like TCP, exists in the Transport (5th) Layer of the OSI model. 2 Lecture 5: Windows Firewall CyberPatriot Lab Manual 3. The host, local or personal firewall provides an added layer of filtering at the PC level and is managed by an administrator or user. Because the other firewalls cannot provide protection for traffic generated inside a trusted network, these firewalls prevent unauthorized access and deep integration with host OS services and applications. Using a Demilitarized Zone (DMZ) Figure 1 - Example of a Network Architecture with a DMZ Many organizations use their Internet connection to expose services to the public internet. In the DMZ the network may be under your control but that network is outside your heaviest security. HTTP, DNS, FTP, SMTP and POP servers are all examples of network devices found in this area. This network should be like an island and not a stepping stone. [3] It should not be connected in any way to the organizations internal network and should not five information that could help hackers compromise other parts of the network. In some cases the DMZ will contain a honeypot server. This is used by security analysts to watch and learn from attackers. Honeypots can provide invaluable information to strengthen the organizations internal network from future attack. The standard way of creating a DMZ is to place servers that provide services between two firewalls. However one firewall can also create this effect given the ability to do deep inspection. The firewall should also be stateful. The reason for this is that connections originating from a server in the DMZ to the internal network should be forbidden, but if originating from the internal network would be allowed. For example an email server should not have any reason to initiate communication with a server or computer in the private network. But an employee’s PC in the internal network would be able to check email. 3 Lecture 5: Windows Firewall CyberPatriot Lab Manual Types of Firewalls Packet Filtering [2] Figure 2 - Example of an IP Packet, Packet Filtering will look at the IP Header and TCP/UDP Header Packet-filtering (or network layer) firewalls validate packets based on protocol, source and destination address and port, time range, type of service (ToS) and other parameters found in the IP header. These firewalls are configured using Access Control Lists (ACLs) saved on the router or switch. ACLs are validated in the order they are defined. A rule will make a decision to either drop or accept a packet. Typically a firewall will drop a packet when no rule matches. This is known as whitelisting, the opposite where the packet is accepted if and only if no rule matches is called blacklisting. The primary advantage of packet-filtering firewalls is the ubiquity across network devices. The software can be implemented in relatively cheap hardware. From the very smallest of home routers to enterprise appliances have this functionality built in. These firewalls typically come in stateless of stateful mode of operations. Stateless4 requires less memory and have faster but simpler filtering capabilities. In stateful mode the firewall maintains active sessions and uses this information to speed up packet processing. stateful firewalls can make complex decisions based on any stage of the connection. Stateful Inspection Filtering Example [4] Consider the example of stateful inspection filtering through an ISA server below. An internet client connects to the ISA server which thinks it is the web server. However as we will see this is not the case. 4 Stateless packet filtering firewalls are especially useful for network protocols that have no concept of a session. A combination of both stateless and stateful firewalls at different levels of the network architecture increases throughput and resilience to attack. 4 Lecture 5: Windows Firewall CyberPatriot Lab Manual Figure 3 - Here we see the communication between a client and server. 1. The Internet client initates an HTTP request to the Web server. 2. The ISA server receives the request and modifies the source to itself and sets the destination to the real IP address of the internal web server. The source port number is changed to allow the ISA server to track this conversation. 3. The ISA server can now track, filter, and inspect the conversation based on an ACL. The disadvantage of packet filtering lies in the use of ACLs. ACLs are static and packet filtering has no visibility into the data portion of the IP packet. Further if communication is done through AH or ESP with IPSec5 the packet cannot be filtered correctly as the true header of the packet has been encrypted. While this type of firewall does it works in the lower levels of the TCP/IP stack they are not well suited for application level filtering. Thus the need for application layer firewalls. Application & Proxy Application layer firewalls work at a higher level of the TCP/IP stack. Such firewalls are typically found on the host machine. They are suited for the filtering of application-specific traffic such as a web browser. They are capable of intercepting all traffic between the application and the rest of the network stack. Because application layer firewalls are after any encryption mechanisms these firewalls can perform deep inspection of a packet but at the cost of performance. These firewalls are on a per process bases, usually have a GUI prompt to define rules and used in conjunction with a packet filter. 5 The IPSec Authentication Header (AH) provides integrity authentication services. They can be used to verify messages and do not encrypt the header or datagram part of the packet. The IPSec ESP Header provides both integrity checking and encryption of the header and datagram part of the packet. While ESP can be configured to only do integrity checking there is no way for a firewall to know if an ESP packet is in integrity-only mode. Thus it cannot inspect ESP packets because the data it reads may be garbled by encryption. [7] 5 Lecture 5: Windows Firewall CyberPatriot Lab Manual A proxy is also a type of application firewall. They act on behalf of the client. Typically they are used to inspect and prevent malicious web traffic. The proxy establishes a session with the outside network then establishes a session with the PC inside the network. This is unique in that the proxy firewall can establish a secure connection with the outside server, decrypt and inspect packets, then encrypt again (or pass unencrypted) to the PC inside the network. A reverse-proxy functions the same as firewall but they are used to protect servers not clients. An example of this a load balancing device in a network. A reverse-proxy handles connection establishment and sessions on behalf of a server for multiple clients. This can go as far as to mitigate against DDoS and prevent malicious clients from communicating with important servers. A common technique used in reverse proxies is blacklisting, whereby malicious IPs are added to a list and instantly blocked. Proxies can make tampering with an internal system form an external network more difficult. Further a misuse of an internal system would not necessarily create a security breach. The most useful case of a proxy is Network Address Translation (NAT) functionality. This translates private address ranges to publish address ranges. Further it allows networks to obscure the number of attached devices within that network. Unified Threat Management (UTM) and Next-generation Firewalls (NGFWs) These are enterprise appliances that combine stateful packet inspection, antivirus and an intrusion prevention system (IPS) all in one. Due to the increasing capability and presence of malware the next generation of firewalls are designed to use machine learning to classify and identify potentially malicious traffic. As they inspect network communications they become smarter at identifying and eliminating bad traffic going as far as to learn from attackers by the use of honeypots. Network Location Awareness Windows 7 supports network location awareness, which enables network-interacting programs to change their behavior based on how the computer is connected to the network. In the case of Windows Firewall with Advanced Security, you can create rules that apply only when the profile associated with a specific network location type is active on your computer. Public Network By default, the public network location type is assigned to any new networks when they are first connected. A public network is considered to be shared with the world, with no protection between the local computer and any other computer. Therefore, the firewall rules associated with the public profile are the most restrictive. 6 Lecture 5: Windows Firewall CyberPatriot Lab Manual Private Network The private network location type can be manually selected by a local administrator for a connection to a network that is not directly accessible by the public. This connection can be to a home or office network that is isolated from publicly accessible networks by using a firewall device or a device that performs network address translation (NAT). Wireless networks assigned the private network location type should be protected by using an encryption protocol such as Wi-Fi Protected Access (WPA) or WPAv2. A network is never automatically assigned the private network location type; it must be assigned by the administrator. Windows remembers the network, and the next time that you connect to it, Windows automatically assigns the network the private network location type again. Because of the higher level of protection and isolation from the Internet, private profile firewall rules typically allow more network activity than the public profile rule set. Domain Network Figure 4 - Here we see a Windows 7 machine connected to a corporate domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. An administrator cannot manually assign this network location 7 Lecture 5: Windows Firewall CyberPatriot Lab Manual type. Because of the higher level of security and isolation from the Internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets. On a computer that is running Windows 7, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. 8 Lecture 5: Windows Firewall CyberPatriot Lab Manual Turning Windows Firewall On and Off: To turn Windows Firewall on or off, simply open the Windows Firewall control panel and click Turn Windows firewall on or off. The Change notification settings link brings up the same screen as shown below: Not only can you turn the firewall on and off for each network location, you can also block all programs, and set notification when a program is blocked. One of the few reasons you would ever want to turn this off is if you had another firewall program that you want to use instead. 9 Lecture 5: Windows Firewall CyberPatriot Lab Manual Allowing Programs: Traditionally with firewalls, you can open or close a protocol port so that you can allow or block communication through the firewall. With Windows Firewall included in Windows 7, you specify which programs or features you want to communicate through the firewall. The most common options are available by clicking the Allow a program or feature through Windows Firewall option on the left pane of the Windows Firewall control panel. Only users that are members of the local Administrators group, or who have been delegated the appropriate privileges are able to modify Windows Firewall settings. If you need to open a port instead of specifying a program, you have to use the Windows Firewall with Advanced Security which is discussed later in this tutorial. If a program that you want to create a rule for is not present on this list, click Allow Another Program. This opens the Add A Program dialog box. If the program that you want to create a rule for is not listed, click Browse to add it. Click the Network Location Types button to specify the network profiles in which the rule should be active. 10 Lecture 5: Windows Firewall CyberPatriot Lab Manual If a program is blocked, the first time you try to run it you are notified by the firewall, allowing you to configure an exception that allows traffic from this program in the future. If an exception is not configured at this time, you will need to use the steps above to allow traffic through. 11 Lecture 5: Windows Firewall CyberPatriot Lab Manual Introduction to Windows Firewall with Advanced Security: Windows Firewall with Advanced Security is designed for advanced users and IT professionals, and offers more powerful configuration options than the standard Windows Firewall. You can now configure Inbound and Outbound Rules, Block or Allow incoming or outgoing connections based off Protocols and Ports and/or Programs and Services, and configure IPSec. The Inbound and Outbound Rules can be enforced on predefined profiles, Public, Private, Domain or all Profiles. WFAS becomes handy in instances where you need to enable a rule that allows traffic for a specific service while connected to one network profile, but not on another. For example, you can allow FTP traffic for the Domain (Work) Profile but not for the Public Profile. This would mean that computers at your work place can connect to your computer hosting an FTP service, whereas such traffic is blocked when you’re connected to another network. The default Inbound rule settings is to block all connections that do not have rules (exceptions) that allow the connection unless the incoming request is a response from the client. The default Outbound rule is to allow all outbound connections unless you have explicitly blocked an outbound connection. To access Windows Firewall with Advanced Security snap-in, open the Network and Sharing Center and click on Advanced Settings in the left pane. Or, you can type Windows Firewall with Advanced Security into the Search Programs And Files box in the Start menu. You must be a member of the administrators group. 12 Lecture 5: Windows Firewall CyberPatriot Lab Manual Creating Rules: To create and inbound or outbound rule, follow these steps: First click on Inbound Rules or Outbound Rules in the left pane depending on which type of rule you are trying to create. In this case, we selected Inbound Rules. 13 Lecture 5: Windows Firewall CyberPatriot Lab Manual Click on the Action menu and select New Rule. This brings up the New Inbound Rules Wizard. In this window you can define a rule based on a program, a port, a predefined service or feature, or multiple parameters (custom rule). The program and predefined rules are the same as those found in the standard Windows Firewall. The custom rule allows you to configure a rule based on more than one 14 Lecture 5: Windows Firewall CyberPatriot Lab Manual option, for example, a rule that involves a specific program and ports. What happens from here depends on the type of rule you are going to create and we suggest that you familiarize yourself with all of them. In this case, we are going to create a custom rule. 15 Lecture 5: Windows Firewall CyberPatriot Lab Manual 16 Lecture 5: Windows Firewall CyberPatriot Lab Manual Here you can apply the rule to all programs, browse to a specific program, or a service. We're going to apply ours to a specific program by clicking the Browse and selecting a program. 17 Lecture 5: Windows Firewall CyberPatriot Lab Manual Here we can apply the rule to specific protocols and ports. We selected a TCP port. Next we define the scope of the rule. We have the option to configure local and remote addresses. The local IP address is used by the local computer to determine if the rule applies. The rule only applies to network traffic that goes through a network adapter that is configured to use one of the specified addresses. Specify the remote IP addresses to which 18 Lecture 5: Windows Firewall CyberPatriot Lab Manual the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list. 19 Lecture 5: Windows Firewall CyberPatriot Lab Manual Next, we can allow the connection, allow the connection if it is secure, or block the connection. 20 Lecture 5: Windows Firewall CyberPatriot Lab Manual Now we choose which network locations the rule will apply to. In the final step, we enter a name and description for the rule and click Finish The above instruction only demonstrate one of the possible types of rules you can create, and the dialogue boxes will vary depending on the type of rule and selections you make. In addition to inbound and outbound rules, you can also configure Connection Security Rules. For more information about this, read Understanding Connection Security Rules. 21 Lecture 5: Windows Firewall CyberPatriot Lab Manual Import and Export: WFAS allows you to import and export the current firewall configuration for the purpose of easy configuration on stand-alone computers. To roll out the firewall configuration on a company network, it is better to use group policy. The import and export feature also essentially enables you to make a backup copy of your configuration before you make changes to it. Exported policy files are binary with a .wfw extension. 22 Lecture 5: Windows Firewall CyberPatriot Lab Manual Configuring the Action Center These days, having a firewall just isn’t enough. Spyware and viruses are becoming more widespread, more sophisticated, and more dangerous. Users can unintentionally pick up spyware and viruses by visiting websites, or by installing an application in which spyware and viruses are bundled. Even worse, malicious software cannot typically be uninstalled. Thus, antispyware and virus protection applications are also required to ensure that your computer remains protected. Let’s take a look at some of the ways you can protect your Windows 7 computers using the Action Center. Using Windows Defender Windows 7 comes with an antispyware application called Windows Defender. Windows Defender offers real-time protection from spyware and other unwanted software. You can also configure Windows Defender to scan for spyware on a regular basis. Like antivirus programs, Windows Defender relies on definitions, which are used to deter- mine whether a file contains spyware. Out-of-date definitions can cause Windows Defender to fail to detect some spyware. Windows Update is used to regularly update the definitions used by Windows Defender so that the latest spyware can be detected. You can also configure Win- dows Defender to manually check for updates using Windows Update. To access Windows Defender, as shown in Figure 9.20, click Start�Control Panel�Large Icons View, Action Center, Windows Defender. status appears at the bottom of the screen, which includes time of the last scan, the scan schedule, the real-time protection status, and the definition version. 23 Lecture 5: Windows Firewall CyberPatriot Lab Manual Let’s look at how we can scan the system for spyware using Windows Defender. Performing a Manual Scan You can configure Windows Defender to perform a manual scan of your computer at any time. You can perform the following three types of scans: Quick Scan checks only where spyware is most likely to be found. Full Scan checks all memory, running processes, and folders. Custom Scan checks only the drives and folders that you select. By default, Windows Defender performs a Quick Scan daily at 2 a.m. You can change this as setting by using the Tools menu option, as shown below 24 Lecture 5: Windows Firewall CyberPatriot Lab Manual Programs are classified into four spyware alert levels, as shown above: Severe High Medium Low Depending on the alert level, you can choose to have Windows Defender ignore, quarantine, remove, or always allow software. Spyware alert levels In the next section, you will learn how to configure the many options of Windows Defender. Configuring Windows Defender Use the Tools and Settings menu to configure Windows Defender. As shown in Figure 9.23, you can access the following items through this menu: Options 25 Lecture 5: Windows Firewall CyberPatriot Lab Manual Microsoft SpyNet Quarantined Items Allowed Items Windows Defender Website Microsoft Malware Protection Center Let’s look at each one of these Windows Defender options in greater detail. Options - Click Options on the Tools and Settings menu to enable you to configure the default behavior of Windows Defender. You can configure the following options: • Automatic Scanning - You can configure Windows Defender to scan automatically, how often automatic scans should occur, the time that scans will occur, and the type of scan to perform. You can also configure whether definitions should be updated before scanning, and whether the default actions should be taken on any spyware that is found. 26 Lecture 5: Windows Firewall CyberPatriot Lab Manual Default Actions You can configure the actions Windows Defender should take on High, Medium, and Low Alert items. You can set each level so that Windows Defender can take the default action for that level, always remove the item, or always ignore the item. Real-Time Protection You can configure whether real-time protection is enabled, which security agents you want to run, how you should be notified about threats, and whether a Windows Defender icon is displayed in the notification area. Excluded Files And Folders You can set up files and folders that are to be excluded during a scan. Excluded File Types You can specify certain file types that will be excluded from a scan, as shown in Figure 9.24. For example, you can exclude all .doc files if needed. Advanced These options let you configure whether to: Archived files and folders are scanned. Email is scanned. Removable drives. Heuristics are used to detect unanalyzed software. A restore point is created before removing spyware. You can also specify file locations that are exempt from scanning. Windows Defender Tools and Settings menu 27 Lecture 5: Windows Firewall CyberPatriot Lab Manual Administrator These options let you configure whether Windows Defender is enabled, and whether you display items from all users on this computer. Excluded File Types The next option that we look at from the Windows Defenders Tools is Microsoft SpyNet. Microsoft SpyNet Microsoft SpyNet is an online community that can help you know how others respond to software that has not yet been classified by Microsoft. Participation in SpyNet is voluntary, as shown in Figure 9.25, and subscription to SpyNet is free. If you choose to volunteer, your choices will be added to the community so that others can learn from your experiences. To join the SpyNet community, click Microsoft SpyNet on the Tools menu, and then choose either a basic or advanced membership. The level of membership will specify how much information is sent to Microsoft when potentially unwanted software is found on your computer. 28 Lecture 5: Windows Firewall CyberPatriot Lab Manual By default, I Do Not Want To join Microsoft SpyNet At This Time is selected, but you can choose to participate in SpyNet by selecting the appropriate radio button. If you choose not to participate, no information is sent to Microsoft, and Windows Defender does not alert you regarding unanalyzed software. Quarantined Items Software that has been quarantined by Windows Defender is placed in Quarantined Items. Quarantined software will remain here until you remove it. If you find that a legitimate appli- cation is accidentally removed by Windows Defender, you can restore the application from Quarantined Items. Microsoft SpyNet participation options Allowed Items 29 Lecture 5: Windows Firewall CyberPatriot Lab Manual Software that has been marked as allowed is added to the Allowed Items list. Only trusted soft- ware should be added to this list. Windows Defender will not alert you regarding any software found on the Allowed Items list. If you find that a potentially dangerous application has been added to the Allowed Items list, you can remove it from the list so that Windows Defender can detect it. Windows Defender Website Clicking Windows Defender Website opens Internet Explorer and takes you to the Windows Defender website. Here you can find information on Windows Defender, spyware, and security . Microsoft Malware Protection Center Clicking Microsoft Malware Protection Center opens Internet Explorer and takes you to the Malware Protection Center website. Here, you can find information on antimalware research and responses. History Menu Option There is also a History menu option next to the tools option. You can use the History menu option to see what actions have been taken by Windows Defender. Information is included about each application, the alert level, the action taken, the date, and the status. Information is retained until you click the Clear History button. References [1] Microsoft Corporation, "Configuring Firewall Rules for Specific Connections," 28 March 2005. [Online]. Available: https://technet.microsoft.com/en-us/library/cc787015%28v=ws.10%29.aspx. [2] R. Blair and A. Durai, "Types of Firewalls," Network World, 21 May 2009. [Online]. Available: http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html. [Accessed 10 October 2015]. [3] Firewalls CX, "Firewall DMZ Zone," 5 April 2012. [Online]. Available: http://www.firewall.cx/networking-topics/firewalls/210-firewall-dmz-zone.html. [Accessed 12 October 2015]. [4] T. Northrup, "Network Security: Firewalls," Microsot TechNet, 10 October 2015. [Online]. Available: https://technet.microsoft.com/en-us/library/cc700820.aspx#XSLTsection125121120120. [Accessed 11 October 2015]. 30 Lecture 5: Windows Firewall CyberPatriot Lab Manual [5] V. Cerf, Y. Dalal and C. Sunshine, "Specification of the Internet Trasnmission Control Program," Network Working Group, vol. 1, no. 1, p. 70, 1974. [6] o2 Micro, Inc., "Firewall For The Next Generation," SifoWorks, Santa Clara, 2015. [7] The TCP/IP Guide, "IPSec Encapsulating Security Payload (ESP)," The TCIP/IP Guide, 20 September 2005. [Online]. Available: http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP.htm. [Accessed 10 October 2015]. 31
