Cisco CCNA 200-301 – The Security Threat Landscape Part 3

5. Firewalls vs Packet Filters

You’ll learn how firewalls work and I’ll also compare them with packet filters. But your access control lists. So firewalls secure traffic passing through them by either permitting or denying it according to their rules stateful firewalls maintain a connection table which tracks the two way state of traffic passing through the firewall return traffic. Traffic is permitted by default. You’ll see what that means coming up in a second. So an example of some firewall rules in our example here, we’ve got a firewall, we’ve got our inside network with our hosts on the inside in the 1010 O 24 network, and we’ve got the outside connected to the Internet. And there’s an Internet web server there at 2030 one 1310.

The way we have set up our firewall rules is to deny all traffic from the outside to the inside for security. And we’re going to permit outbound web traffic from the ten 1010 O 24 network. So we set up those rules on the firewall. Then our host on the inside, ten 1010 sends out some web traffic to the external server at 2030 one 1310. Traffic is allowed because we have a rule to permit outbound web traffic from ten 1010 O 24. Then when that outbound traffic is sent out, it will be updated into the firewalls connection table. In the connection table. It will now say that a connection has been initiated from ten 1010.

And in our example, that host happens to be using the source port number 49160 and that’s going out to 2030 one 1310 on destination port eight for Http. Then the web server sends return traffic back to the host on the inside. The source and destination IP address and port numbers are going to be flipped around the other way.

Now, so that traffic is going to come from a source IP address of 2030, one 1310, and a source port number of 80. And it’s got a destination IP address of ten 1010 and a destination port number of 49160. So that matches the connection that’s in the connection table. The firewall sees that and it will permit that return traffic because it’s valid return traffic for an existing connection in the connection table that overrides the deny all traffic from outside to inside rule because it is legitimate return traffic. Now, in this next example, the host on the inside, ten 1010 has not initiated a connection out to the Internet server on the outside.

So in that case, the web server out on the Internet tries to send traffic into ten 1010. It does not match an existing connection. The traffic is going to be coming from a source of 203 011310 and port number eight and a destination IP address of ten 1010 and the destination port again for our example of 49160 that is now going to be dropped. According to the deny all traffic from outside to inside rule. And there is no existing connection in the connection table that would override that. Okay, so that’s how firewalls work and how the rules work. Next generation firewalls are available for next generation firewall that moves beyond port and protocol inspection at layers three and four, inspection and blocking to add application level inspection, intrusion prevention, and user based security. So deep packet inspection analyzes packets up to layer seven of the OSI stack, rather than it does with older traditional firewalls, where they would look at the traffic up to layer four.

Different permissions can also be applied to different users as well. Again, it goes beyond source and destination, IP addresses and port numbers. It can look up to layer seven in the packets. It can also recognize different users as well. And that way you can apply different rules to different users based on their job roles. And the Cisco ASA with Firepower is a next generation firewall. It does support the deep packet analysis, and it does also have IPS functionality. Okay, so that was firewalls. Next up, let’s move on to comparing them with packet filters and an access control list. Security policy is a packet filter. Packet filters, unlike stateful firewalls, do not maintain a connection table. So because of this, they affect traffic in one direction only.

They do not track the state of two way connections going through the router. If you have an access list applied on the way out, only the return traffic will be allowed because all traffic is allowed when an ACL is not applied. So if you just have an ACL applied in the outbound direction, you don’t have an ACL applied in the inbound direction as well, but all traffic will be allowed inbound because there’s not an ACL to control it. If you have ACLs applied in both directions, you will need explicit entries to allow both the outbound and the return traffic as well, because it does not keep track of the state, it’s not going to recognize the incoming traffic, the traffic coming back as valid return traffic. So we’ll do a similar example to what we had earlier with the firewall, but now we’re doing it for an access control list. So here we’ve got an inbound ACL on the outside interface.

So that’s going to apply traffic coming in from the outside and they’re the same as we did with the firewall. We’re going to deny all traffic. We also have an inbound ACL on the inside interface, so that’s going to affect traffic coming from the inside going to the outside. And there we’re going to permit web traffic from ten 1010 O 24, so the same as what we were doing with the firewall. Then a host on the inside, ten 1010 sends outgoing web traffic to the external server on the Internet at 2030 one 1310. We’ve got that inbound Htl on the inside interface, which permits web traffic from 1010 O 24. That does allow traffic to the web server. So the traffic will be allowed to pass through the router, the connection is not tracked in a connection table though, like it would be in a stateful firewall.

So then when the web server tries to send return traffic back in, that comes from 203 one 1310 port 80 going to ten 1010 port 49160 that is going to be dropped because of the inbound htl on the outside interface to deny all traffic. So you can see there the difference between a state full firewall and a packet filter. A state full firewall does track the state of connections and it allows valid return traffic. An ACL does not track the state of connections. So if you’ve got ACLs applied in both directions, you’re going to need to have explicit rules to allow traffic going out and coming in as well. So to allow the return traffic, in our example, you need to either remove the deny all traffic from outside to inside ACL on the outside interface, or add permit TCP any equals 810, ten 0255, range 491-526-5535. So with the first access control list entry there, what you’d be doing is just basically turning off security from the outside to the inside.

Obviously you don’t want to do that with the second example, you still have an ACL on the outside for traffic coming in, but what you’re doing is you’re saying if it’s coming from a web server, then allow it to go to the inside host on the entire range of possible port numbers. So it’s not tracking the state of connection and this view is opening up a security hole in your network. So those two options, neither of them is a secure option for a router connected to the internet. So because of that, we would always have a stateful firewall connected to the internet because we do want to have that higher level security and be able to track the state of the connections. Now, you might have heard of the established keyword before and you might think this is a solution to the problem.

So what we could do here is on our access list on the outside interface for traffic that is coming in, we could say address rule, access list 100, permit TCP ne equals 80. So we’re looking for any traffic that is coming inbound from a web server that is going to ten 1002, five five when we say if it was established. Now, intuitively, this looks like it’s making the access control list on the router act in a stateful manner, but it doesn’t actually do what you think it does. It doesn’t mean track the state of a connection. And if it was established from the inside going out, allow to turn traffic back in, doesn’t actually mean that the established keyword in an ACL only checks for the AK flag in return traffic. The router does not keep track of the state of the connections. So if you do this, it’s not turning your ACL into a stateful ACL and it’s actually easy for attackers to get around this just by setting the AK flag in their traffic. Again, it’s still not as secure as a stateful firewall. Now it is possible to enable the firewall feature set on router though if you do enable the iOS firewall feature set, that does turn it into a stateful firewall. With the iOS firewall feature set it uses different commands and you use in an ACL. Okay so now you’re maybe thinking, well why do we even have access control lists then? Wouldn’t we just use a firewall everywhere? Well actually you can use them to complement each other.

So your ACL packet filters on your routers can add to an overall defense in depth strategy. With your defense posture you don’t want to put all your eggs in one basket, you don’t want to just have a firewall and that’s your entire security defense. You want to have defense in depth. So you’ve got a firewall there. If an attacker manages to get through the firewall, you’ve got other defense mechanisms beyond that as well to make it more difficult for them. Also a firewall really guards against external threats. You need to guard against internal threats as well. So you don’t just have a firewall, you also have additional security mechanisms in place. Standard practice is to use firewalls on major security boundaries such as your internet edge and augment this with internal ACLs.

Purely external threats are primarily covered with strong firewall and IPS protection on the network perimeter. Sensitive hosts should also have firewall and IPS protection from internal hosts. So let’s have a look at an example. Network topology. Again, this is the exact same topology as we had in the last lecture. So we’ve got our internet edge here, we’ve got a firewall on the perimeter between our internal network and outside to the internet and we’ve got our servers in a DMZ. We have traffic going to our internal servers here both from our internal hosts and out from the internet as well. We’ve also got an IPS there to give it an additional level of security. Now the difference we’re going to do here is that on the inside we’ve got two different departments there.

We’ve got Department A and Department B. And for this example I’ll say that department A and department B host should never actually be communicating with each other. Well I can’t enforce that under firewall here because department A and department B are connected to a layer three switch on the inside. So traffic between the two departments would just go via the switch. It never touches the firewall. So in this situation, how can I secure traffic between the two different departments? Well I could put another firewall in, that would add to the expense and also to the complexity as well a much easier option.

And what I’m going to do is I’m going to configure an ACL on my layer three switch here to prevent traffic between those two internal departments. So both of departments can get out to the internet. They can also get to the internal servers, but they’re not allowed to communicate with each other. Okay, so that was how Stateful Firewalls work. Also a comparison with packet filters or ACLs and how you can use them in combination.

6. Cryptography

In this lecture, you’ll learn about cryptography, which is the process of transforming readable plain text messages into an unintelligible form and then the later reversal of that process. Cryptography can be used to send sensitive data securely over an untrusted network such as the Internet, and it uses authentication and encryption methods to do that. Cryptography provides these services to the data. First up, authenticity, which is proof of source. So proving that the data really did come from you think it came from, then confidentiality, which is privacy and secrecy. So you can send the data over an untrusted network, and even if somebody else is able to sniff that traffic, we’re not able to read it. And integrity, meaning it’s for sure it is not being changed in transit. And finally, non repudiation, which is quite similar to authenticity.

So authenticity proves that you are talking to who you think you’re talking to. Nonrepudiation means also that they cannot deny that it was them later. Okay? So with our cryptography, we’ve got both symmetric and asymmetric encryption. With symmetric encryption, the same shared key both encrypts and decrypts the data. And you can think of the key basically as being similar to a password. So with symmetric encryption, that shared key is known by both the sender and the receiver, and it must be kept secret. They’re the only two parties that know about it. Symmetric encryption is fast, so because of that, it’s used for large transmissions such as email, secure web traffic, Https, and also IPsec for VPN tunnels that we’ll be talking about later.

Algorithms that are used for symmetric encryption include Des, AES, and Seal. Des and triple Des are really older algorithms now. So version is insecure, not used so commonly now. More commonly used today would be AES. So let’s have a look at how symmetric encryption works and how it provides confidentiality. So here we’ve got the host on the left and it’s got some data. The data says hello, and we want to send that securely to the host on the right over the untrusted network. So the host on the left encrypts that data of hello with the shared key of one, two, three. And when it does that, it comes out with garbled encrypted data, as you can see down at the bottom here, it is then that encrypted data which is sent across the untrusted network. So if there’s anybody on that untrusted network that is able to sniff that data, they can sniff it, but it’s not a problem because they can’t read the actual data that we are sending.

They only see the encrypted garbled copy. It then comes out at the intended target, the host on the right still in the encrypted format. It then decrypts it with the same shared key of one, two, three in our example. And it then comes out in a readable format again of hello. So that’s how we were able to get that sensitive data of hello across from the left hand side over to the right hand side, over that untrusted network securely, okay? So that was symmetric encryption. There was also asymmetric encryption as well. And asymmetric encryption uses private and public key pairs. So with symmetric encryption, it’s the same shared key on both sides. With asymmetric encryption, it’s a private and public key pair. The way it works is data encrypted with the public key can only be decrypted with the private key and vice versa. So anything decrypted with the public key can only be decrypted with the private key. Anything encrypted with the private key can only be decrypted with the public key.

If something’s encrypted with the public key, it cannot be decrypted with the public key. And if something’s been encrypted with a private key, it cannot be decrypted with the private key. Sort of like a male female of each other. Only the private key must be kept secret. With our asymmetric encryption, the public key can be shared everywhere. You’ll see how this works as we go through this lecture and the next. So the public keys I just said can be available everywhere. It can be known in the public domain. With asymmetric encryption, it is slow as compared to symmetric encryption. So because of this, it’s used for smaller transmission, like exchanging our symmetric keys, and also digital signatures. I’ll explain how those work later on in this section.

Algorithms for asymmetric encryption include RSA and ECDSA. So let’s have a look at asymmetric encryption in action. So in the example here, the host on the left has got the public key, and the host on the right has got the matching private key. How we can use asymmetric encryption for confidentiality first. So here, the host on the left has the public key of the host on the right, and it wants to send the data of hello over there securely.

So it takes that data of hello and it encrypts it with the host on the right public key. So it does that, and then it then comes up with the Garble data. Now here, the host on the left does not know the private key of the host on the right. It only knows the public key. So it encrypts the data for the host on the right with its public key, the host on the right public key, and it then sends it over the network that comes into the host on the right. It comes in as the encrypted Garble data. It then decrypts it with its private key, and it comes out with the original data of hello.

Now, with this, it allows anybody to send data securely to the host with the private key because all hosts are allowed to have the public key. But the host on the right with the private key is the only one that has the private key. Nobody else has that. So it’s the only one that can read the message again, if something’s encrypted with the public key, it can only be decrypted with the private key, not with the public key. So the host on the right is the only one that can read any messages that have been encrypted with its public key. Other hosts with the public key cannot read that message. All right, so that’s how it works for confidentiality. We can also use asymmetric encryption for authentication and non repudiation. Here the traffic is going to be initiated from the right hand side. Now again, it’s the host on the right with the private key. The host on the left has got the matching public key. So the host on the right has got some data which says hello.

It encrypts it with its private key. It then sends that encrypted copy of the data over the untrusted network to the host on the left. The host on the left then decrypts it with the host on the right’s public key, and it comes out with the same original data of hello then. So here, the host on the left could have said to the host on the right, okay, if you are who I think you are, take this data of hello, encrypt it with your private key and send it back to me, the host and right then does that. It comes back to the host on the left, it decrypts it, and it does say hello, which is what it was expecting. So it now knows that it is talking to the host. It thinks it’s talking to over on the right, it’s authenticated it, and also the host on the right cannot deny that later, because it’s the only one that would have been capable of doing that, because it’s the only one with the private key.

So that provides authenticity of the host with the private key. All receivers need to know what is the genuine public key for this to work. Next thing is HMAC hash based message authentication codes. And HMAC codes provide data integrity, so it makes sure that it has not been altered in transit. The sender creates a hash value from the data to be sent using a symmetric key. The hash value is then appended to the data. The receiver hashes the data with the same shared key when it receives it. And if the hash values are the same, then that proves that the data has not been altered in transit. This is also used for large transmissions, for example email, secure web traffic and IPsec. And the algorithms include MD, Five and Shan. So, looking at how HMAC codes work here, the host on the left has got the data which says hello. It then hashes that with the shared key of one, two, three, and it comes out with a hash which is in a Garbled format, as you see here.

Then when it sends the data across the network, it’s got the original data which says hello and it’s got the hash value appended to that that comes into the host on the right, it sees the data and the hash. Then it hashes that data with the same shared key of one, two, three. And if the hash value matches on the right is what it was on the left, which was sent over, that means that the data has not been altered in transit. Now, with the example here, you can see that we sent the data in plain text there. So what the HMAC code does is it just checks. The data is not altered in transit. Now, normally the data will be encrypted as well. So normally here we would have the data encrypted with a symmetric key. We’re also taking a hash value as well. So by encrypting the data, that provides the confidentiality, having the HMAC code that provides the integrity.

So we use them both in combination with each other. Next thing is key distribution. So, cryptography can be used to send sensitive data securely over an untrusted network, as you’ve just seen. And symmetric key encryption is used for bulk data transmissions because asymmetric encryption is too slow for that, with our symmetric encryption, each side needs to know the shared key. And this can lead to a key distribution problems. Let me explain what the problem is. So for example, when you buy something online, you want your credit card details to be encrypted over the Internet. You don’t want anybody else seeing your credit card details. Now, the online store can’t send you the shared key over the same Internet channel. It’s not secure. So if you’re shopping online there and somebody’s sniffing your traffic, and the online store sends you the shared key over that Internet net connection, then anybody that’s sniffing it can see the shared key.

So they can read the data that comes later. They can still read your credit card details. So for that shared key to be shared with you, we need to have a secure out of band method of doing it, not sending it over the same Internet connection. And obviously, it’s not practical for the online store to phone up every single customer every time there is an online purchase. So we need some other way of getting a shared key over on both sides of the link. That’s our key distribution problem. And the solution for that is PKI public key infrastructure. PKI uses a trusted introducer, which is the certificate authority for the two parties who need the secure communication. Both parties need to trust the certificate authority and it acts as a go between, which allows them to share shared key securely. And I’ll show you how the process works invinex Glacier.

• Category: Uncategorized