Add to collection(s) Add to saved
  1. No category
Uploaded by wewecod547

ACL

advertisement 
ACL (access control list): a policy that is applied once per interface per direction
Policy: a container for ACE (a rule)
ACE 1
ACE 2
ACE 3
Deny any any → implicit rule → even if the list is empty its still applied
→ the list works from top to bottom and stops when a match is found
Interfaces have: ingress, outgress
Standard Access List: applies rules using source IP address only
apply the rules as close to the destination as possible → because there is no control but on the ip
address
if it was on the source: if an ip address was denied on one interface it could go out from any
other interface
If you want to allow a network and deny only one IP → deny the ip first then allow the network
In networks always work with whitelists
Extended Access List: Action (permit / deny) / Protocol (ip / tcp / udp / icmp etc.) / Source IP /
Source Port / Destination IP / Destination Port / Keyword
applied as close to the source as possible
anything rule not defined → any
Keyword: log → outputs a log every time a match is found
time → applied for a specific time only
Access Lists are Statless → if you only apply access list to an outbound interface and wait for a
reply it wont comeback because traffic is not allowed in
you have to apply the access list to the inbound interface as well
Reflexive Access List → Stateful → Remebers when a connections goes out and allows the reply
back into the network
Reflect → applied at the end of a rule → applies a new rule at the inbound interface it switches
the source and distention with each other when the traffic goes out so that the reply can get back
Firewalls were made as an access control device
Security Zones: By default
anything in higher security zones can talk to lower security zones but not the opposite
Zones levels are from 0 to 100
Inside → 100
Outside → 0
DMZ (demilitarized zones) → 50
if an attacker gets in DMZ → can be isolated and the damage will be low
Webserver → DMZ
Database → Inside → so if an attacker gets the webserver the database will be safe and isolated
Max number of zones: 99
ASA: Adaptive Security Appliance
a stateful firewall → remembers the sessions going in and out from the firewall
makes a state table → that remembers the out going sessions and waits for the reply
sets a timeout for the request → if the time is exceeded the firewall will deny the session
the issue: the timeout is only for session establishment (syn/ack) → no timeout is set for packets
→ can cause session hijacking
if a connection is established → idle timeout is set → if there are no packets moving → ends the
sessions
UDP is vulnerable to IP spoofing
Atomic attack: using one packet; if an attacker sees that A sent a UDP packet to a bank the
attacker knows that the firewall is open for that packet → the attacker hijacks the packet
→ from this the attack the attacker can cause DoS; can act as the bank and steal user credentials
R&D → Research and Development
a team at firewall vendors; this team is responsible for coding the firewall and responding to the
latest incidents
Bastiom Host?
Micro segmentation → a network with vlans and each vlan perform 1 task and has a firewall
Used with data center firewall
Micro segmentation was the solution for wannacry ransomware → if each department was
isolated and one department got ransomware it wont reach other departments
Risk Assessment
Scalability → making your network expandable without affecting the network
Fault Tolerance: how you will tolerate a fault in the network
Jump server → a server used to authenticate first before accessing other switches on the
network
you can add 2FA before accessing the jump server
HSRP → Hot Standby Routing Protocol
if gratuitous arp is turned off and firewall A goes down firewall B wont be able to send its MAC
address to the devices
the downtime for cisco devices to reset ARP → 3 days
Firewall B will be only able to give its mac address if someone did clear ARP on the switch → it
will force all devices to request ARP
Identifying a person
- Something you know → password
- Something you have → mobile; token; smart card
- Something you are → biometric → fingerprint; waking pattern; face; voice; IRIS; RITNA
Any of those 2 → 2FA
3 → MFA
Trace route:
the tracing begins with TTL 1 and when it reaches next hop the router replies with TTL 0
the router that replies with TTL 0 → the router's ip is now known
the tracing continues with TTL 2 and when it reaches next hop the router replies with TTL 0 →
repeat same steps until it reaches the destination IP
FTP:
- Passive: if server is working in active mode you will send and receive requests on port 21
- Active: if server is working in active mode you will send requests with port 21 and the server
replies from port 20 → will cause a problem when getting the reply because 2 different ports
DPI: Deep Packet Inspection READ MORE
→ Inspects the packet content and will open the port for the reply if the application uses 2
different ports like FTP
Lab: Some applications allow only GET and no POST; change the type
RFC → a standard for protocols
for example a developer programmed an application to use HELO and a server developer uses
HELLO so they wont be able to communicate with each other
RFC standard is made so that all applications follow a standard for communication
when you buy a device it's better to make sure that it follows RFC standards
→ Remember the scalability
Proxy: a median between the user and the internet
→ Application Level Gateways → if you want to go to the internet → go to proxy first → the
proxy forwards the request
- HTTP
- Email
Mail servers contain mailbox
when sending a mail to someone on another server
DNS query → MX record for b.com → if you want to send email to b.com send to 1.1.1.1
A opens port 25 to B → Connection established → A sends the email to B → the email is stored
on server B mailbox
SMTP Application Gateway:
→ With a proxy instead of A sending the email to B → it will send the email to the proxy → if
the email is phishing or spam it will get dropped → if not the proxy sends it to B mailbox
Reverse Proxy:
HTTP:
HTTP Gateway / HTTP Proxy
the proxy is divided into 2 parts
Server / Client:
Client → [S/C] → Server
Content Filter: FILTERING REQUESTS
if a client sends a request → the proxy simulates itself as a server → the proxy will open the
packet and inspect its content
→ if the request is allowed the proxy will simulate itself as a client and forward the request to
the destination server
→ if the request is denied it will get dropped
Why would the request get denied?
- Contains malicious content
- Websites restrictions using categories
→ no adult material
→ productivity → block facebook - youtube / limit allowed bandwidth (like max 100mb) / allow
and block certain users → for example allowing marketing derpatment to use facebook but not
other users
→ bandwidth intensive → like watching HD movies / youtube
→ Security Related
→ Normal business → like allowing search engines
As a security analyst only care about → no adult material / security related
Difference between proxy and firewall
Firewalls: filters headers
Proxy: filters content
If a lot of websites are unrecognized and not categorized → will lead to a lot of issues in the
company
Bypassing Content Filtering:
What if someone uses google to search for adult material and goes to images?
Safe Search
→ will block adult material
Filter using parameters
Tinyurl → put a blocked website into a tinyurl → it will pass the server side of the tinyurl
→ if it opens the blocked website directly it will get blocked by the client side of the proxy
→ if tinyurl works as a proxy it wont get blocked
Tunneling the traffic
Protocols used in tunneling: HTTP, DNS
→ Solution: block SSH in the firewall
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
System Administration Chapter 10 Quiz
System Administration Chapter 10 Quiz
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
The Impact Map
The Impact Map
Download
advertisement