ACL (access control list): a policy that is applied once per interface per direction Policy: a container for ACE (a rule) ACE 1 ACE 2 ACE 3 Deny any any → implicit rule → even if the list is empty its still applied → the list works from top to bottom and stops when a match is found Interfaces have: ingress, outgress Standard Access List: applies rules using source IP address only apply the rules as close to the destination as possible → because there is no control but on the ip address if it was on the source: if an ip address was denied on one interface it could go out from any other interface If you want to allow a network and deny only one IP → deny the ip first then allow the network In networks always work with whitelists Extended Access List: Action (permit / deny) / Protocol (ip / tcp / udp / icmp etc.) / Source IP / Source Port / Destination IP / Destination Port / Keyword applied as close to the source as possible anything rule not defined → any Keyword: log → outputs a log every time a match is found time → applied for a specific time only Access Lists are Statless → if you only apply access list to an outbound interface and wait for a reply it wont comeback because traffic is not allowed in you have to apply the access list to the inbound interface as well Reflexive Access List → Stateful → Remebers when a connections goes out and allows the reply back into the network Reflect → applied at the end of a rule → applies a new rule at the inbound interface it switches the source and distention with each other when the traffic goes out so that the reply can get back Firewalls were made as an access control device Security Zones: By default anything in higher security zones can talk to lower security zones but not the opposite Zones levels are from 0 to 100 Inside → 100 Outside → 0 DMZ (demilitarized zones) → 50 if an attacker gets in DMZ → can be isolated and the damage will be low Webserver → DMZ Database → Inside → so if an attacker gets the webserver the database will be safe and isolated Max number of zones: 99 ASA: Adaptive Security Appliance a stateful firewall → remembers the sessions going in and out from the firewall makes a state table → that remembers the out going sessions and waits for the reply sets a timeout for the request → if the time is exceeded the firewall will deny the session the issue: the timeout is only for session establishment (syn/ack) → no timeout is set for packets → can cause session hijacking if a connection is established → idle timeout is set → if there are no packets moving → ends the sessions UDP is vulnerable to IP spoofing Atomic attack: using one packet; if an attacker sees that A sent a UDP packet to a bank the attacker knows that the firewall is open for that packet → the attacker hijacks the packet → from this the attack the attacker can cause DoS; can act as the bank and steal user credentials R&D → Research and Development a team at firewall vendors; this team is responsible for coding the firewall and responding to the latest incidents Bastiom Host? Micro segmentation → a network with vlans and each vlan perform 1 task and has a firewall Used with data center firewall Micro segmentation was the solution for wannacry ransomware → if each department was isolated and one department got ransomware it wont reach other departments Risk Assessment Scalability → making your network expandable without affecting the network Fault Tolerance: how you will tolerate a fault in the network Jump server → a server used to authenticate first before accessing other switches on the network you can add 2FA before accessing the jump server HSRP → Hot Standby Routing Protocol if gratuitous arp is turned off and firewall A goes down firewall B wont be able to send its MAC address to the devices the downtime for cisco devices to reset ARP → 3 days Firewall B will be only able to give its mac address if someone did clear ARP on the switch → it will force all devices to request ARP Identifying a person - Something you know → password - Something you have → mobile; token; smart card - Something you are → biometric → fingerprint; waking pattern; face; voice; IRIS; RITNA Any of those 2 → 2FA 3 → MFA Trace route: the tracing begins with TTL 1 and when it reaches next hop the router replies with TTL 0 the router that replies with TTL 0 → the router's ip is now known the tracing continues with TTL 2 and when it reaches next hop the router replies with TTL 0 → repeat same steps until it reaches the destination IP FTP: - Passive: if server is working in active mode you will send and receive requests on port 21 - Active: if server is working in active mode you will send requests with port 21 and the server replies from port 20 → will cause a problem when getting the reply because 2 different ports DPI: Deep Packet Inspection READ MORE → Inspects the packet content and will open the port for the reply if the application uses 2 different ports like FTP Lab: Some applications allow only GET and no POST; change the type RFC → a standard for protocols for example a developer programmed an application to use HELO and a server developer uses HELLO so they wont be able to communicate with each other RFC standard is made so that all applications follow a standard for communication when you buy a device it's better to make sure that it follows RFC standards → Remember the scalability Proxy: a median between the user and the internet → Application Level Gateways → if you want to go to the internet → go to proxy first → the proxy forwards the request - HTTP - Email Mail servers contain mailbox when sending a mail to someone on another server DNS query → MX record for b.com → if you want to send email to b.com send to 1.1.1.1 A opens port 25 to B → Connection established → A sends the email to B → the email is stored on server B mailbox SMTP Application Gateway: → With a proxy instead of A sending the email to B → it will send the email to the proxy → if the email is phishing or spam it will get dropped → if not the proxy sends it to B mailbox Reverse Proxy: HTTP: HTTP Gateway / HTTP Proxy the proxy is divided into 2 parts Server / Client: Client → [S/C] → Server Content Filter: FILTERING REQUESTS if a client sends a request → the proxy simulates itself as a server → the proxy will open the packet and inspect its content → if the request is allowed the proxy will simulate itself as a client and forward the request to the destination server → if the request is denied it will get dropped Why would the request get denied? - Contains malicious content - Websites restrictions using categories → no adult material → productivity → block facebook - youtube / limit allowed bandwidth (like max 100mb) / allow and block certain users → for example allowing marketing derpatment to use facebook but not other users → bandwidth intensive → like watching HD movies / youtube → Security Related → Normal business → like allowing search engines As a security analyst only care about → no adult material / security related Difference between proxy and firewall Firewalls: filters headers Proxy: filters content If a lot of websites are unrecognized and not categorized → will lead to a lot of issues in the company Bypassing Content Filtering: What if someone uses google to search for adult material and goes to images? Safe Search → will block adult material Filter using parameters Tinyurl → put a blocked website into a tinyurl → it will pass the server side of the tinyurl → if it opens the blocked website directly it will get blocked by the client side of the proxy → if tinyurl works as a proxy it wont get blocked Tunneling the traffic Protocols used in tunneling: HTTP, DNS → Solution: block SSH in the firewall