How to Set Up and Properly Configure a Firewall

When learning how to set up and properly configure a firewall, the first step is knowing the difference between a software vs hardware firewall, which are often implemented in combination.

Software vs Hardware Firewalls

Software Firewalls

• Filters traffic based on content rules.
• Installed on clients.
• Inexpensive but vulnerable.
• Knows more about what we do on our system, so it is better at configuring rules.

Hardware Firewalls

• Physical devices on network.
• Network traffic runs through them.
• More robust.
  • May have service support.
  • Configurable
• More expensive.

Port Security

• Security by modifying traffic/access/protocols based on ports.
• Port security is focused mostly on TCP/IP ports vs Physical ports (can be modified by rules and ACLs.

Additional Firewall Features

• The benefit of multifunction devices on small devices is that you can save money and reduce training time.  Works on small networks.
  • The downside is that all in one devices can’t do everything well.
  • Also there is only one security device that needs to be compromised.
• Can be built into routers/switches.
• Act as VPN concentrator.
• Content filters.
• IPS/IDS.

Stateful Inspection vs Packet Filtering Firewalls

The next firewall concept that needs to be understood is the difference between Stateful Inspection vs Packet Filtering Firewalls

Stateful Inspection Firewalls

Inspect traffic and allows initiated traffic back into the network.

IF rules are not configured properly, you are vulnerable

• If the target computer is browsing on an infected server, it may be sent an HTTP packet over port 80.   This is normal and expected if firewall allows web browsing and as a result the infected server send an infected packet to the target.
• The packet is not large enough to infect the computer, but it allows for the target to create of a session to the attacker over another port, say 4484, so a larger packet can be sent to the target.
• The firewall sees that the target initiated session and allows the traffic from the infected server in.

This can be mitigated by monitoring outbound traffic.  Don’t just allow all outbound traffic

Packet Filtering Firewalls

Based on IP header information.  Doesn’t matter if we initiated the request.

Firewall Rules

Inbound vs Outbound Rule

Inbound: what gets allowed on our private network from public network

Outbound: Traffic to the public internet from our network.  Less restrictive than inbound rules.

• Block/Allow Traffic
  • Based on Port/IP/Protocol
• Implicit Deny:  At the end of the rule list.  If the rules don’t allow for data under a rule, deny access.   The opposite is implicit allow
• Access control list
  • Permitted/Denied Traffic
  • Specify Based on IP/Port/MAC/Source/Destination

NAT & PAT

Network Address Translation/ Port Address Translation

Secur previously covered network address translation in an earlier lecture.

• One internal IP address (lots of these) < => One external IP address.
  • PAT assigns a Public IP/Port to Private IP/Port
• Traffic forwarding to private IP.
  • Can’t send two types of data over the same port
    •  PAT sends traffic over different port if the initial port twas busy.   
    • The response runs through PAT again, and translates the traffic to the proper port internally.
  • Remember that the network’s public IP address may server many internal devices
• Webserver.

Demilitarized Zone (DMZ)

• Located between public and private facing firewalls
• Creates a semi protected area
• Place public facing devices here.
• We put the internal network on the other side of the private fire wall.
• This one has a stronger ruleset.