Firewalls & Intrusion Detection
This is a guide on firewalls and intrusion detection.
Firewall Types
It's imperative that as a cybersecurity analyst, you understand the various types of firewalls that are available and which firewall best serves a given scenario.
So, the first thing we’ll do is mention that firewalls, of course, in a general sense, control traffic into, through and out of networks and hosts.
A firewall can be a hardware appliance that's designed to do nothing but controlling network traffic and examining network traffic.
Next-generation firewalls are enhanced firewall appliances beyond a standard traditional layer 4 packet filtering firewall.
But firewalls can also be software such as a host-based firewall running within an operating system, whether it’s a Linux-based machine; mobile or desktop, laptop server; or a Windows type of device; or an Apple type of device.
Where possible, you need to ensure that there is a software firewall in place on everything.
So, network perimeter firewalls are great hardware appliances that do that. That's great. Every device needs a firewall because it’s another layer of security.
In the enterprise, we need a centralized way to deploy those firewall settings and to receive alerts that we might have configured, if there are firewall anomalies such as incremental port scans on different port numbers, which could be the reconnaissance phase that an attacker is executing.
So, the actual functionality of the firewall itself will determine which OSI model level it maps to. We'll talk about that.
Firewalls can either be stateful or stateless.
Let's start with stateless because it's simpler. A stateless firewall looks at each and every network packet transmission as an individual independent entity. There is no concept of a collection of packets forming a session, as would be the case with TCP (Transmission Control Protocol).
As a result, a stateless firewall is not considered to be sophisticated and is not considered to catch as many potential network intrusions as a stateful firewall would.
Imagine also that we have an internal host reaching out through a NAT firewall to get out to the Internet. While stateful also applies in the sense that we have some kind of memory at the NAT firewall level of a request from an internal client going out, and that response should be allowed to come back in. So, that’s another variation of how stateful would work at the network traffic level.
Common firewall types: Packet filtering: packet filtering firewall, sometimes called a layer 4 firewall; this is why it’s important to understand the OSI model. Layer 4 is the transport layer, which focuses at least with TCP/IP on things like UDP and TCP, which translates to port numbers.
So, a layer 4 packet filtering firewall can make decisions based on port numbers and everything below that, like IP addresses, MAC addresses, that type of thing.
Content filtering firewalls are sometimes called deep inspection or layer 7 firewalls. They can do everything a packet filtering firewall can do, but they're not limited to just looking at the packet headers. They can look at the payload, the data in the packet and look at the nature of an HTTP request, and so on.
A specialized version of a content filtering firewall would be a web application firewall, which is always checking for common web application attacks.
Proxy servers sit between users and the Internet. So, a forward proxy, for example, will accept client requests internally to reach out to the Internet and get content. The proxy server fetches that content, not the internal device directly.
Network address translation or NAT, sometimes called port address translation or PAT, which is probably more correct; but what we’re interested in here is what these solutions do. With network address translation, you probably have experienced this even on a personal home or a small office network, you have a routing device that has a connection to the Internet that allows all internal clients out to the Internet through that appliance’s single Internet connection, such as a home wireless router.
Of course, at the enterprise level, we can also configure this in more detail. In essence, that is NAT.
Packet filtering firewalls, while they have the limited ability to look at packet headers, here we have a diagram of a standard network transmitted packet. Let's say it’s an HTTP packet and what we’ve done is broken it down by header.
So, at the top we’ve got the Ethernet header, assuming it’s an Ethernet network. Now, that applies to layer 2 because the Ethernet header will have source and destination MAC addresses.
The next header, assuming it’s a web server, HTTP type of transmission, would be an IP header, which applies to layer 3 of the OSI model; the network layer, because it deals with IP addresses and potentially routing.
The next header in this case, if it’s HTTP, it’s going to be a TCP header, layer 4, where port addresses would be included like port 80 for HTTP or 443 for HTTPS.
Then the protocol header such as for HTTP and depending on whether it’s HTTPS or not, whether network encryption is in use, will determine which layers between 5 and 7 would apply, but certainly the packet payload is not scannable by a packet filtering firewall.
That's where content filtering firewalls, web application firewalls, next-generation firewalls, layer 7 firewalls, those types of things would apply. So, we’re really talking about packet filtering firewalls, layer 4 firewalls, looking at the headers only. [Video description begins] The instructor highlights the four headers. [Video description ends]
So, a packet filtering firewall is not a good solution if you're trying to address the problem of email phishing scam campaigns or if you're trying to block viruses or malware. This is not going to do it. So, it doesn’t check the packet payload data.
Now, when it comes to placement of a packet filtering firewall, we have to think about the network layout, which means we need network diagrams.
Pictured on our diagram in the bottom left, we have an internal network which is connected to one firewall, which is then connected to another network where we have a demilitarized zone or DMZ, otherwise called screened subnet, which is in turn connected to a second level firewall which connects to the Internet. If you want to host public services, you would place those on the DMZ or the screened subnet, like public facing web servers or email servers.
So, the firewall connected to the Internet would have different rules to allow traffic from the Internet directed to those specific servers in the screened subnet, but not anywhere else. But the internal second firewall would allow internal traffic out to the Internet and back in. So, placement is important and obviously the detailed configuration of each firewall ruleset is important.
We've briefly mentioned that a web application firewall or a WAF, depending on what it's looking for, is generally considered to be an OSI layer 7 firewall because it can look at headers as well as details about HTTP types of requests. So, it protects apps from common attacks.
What types of attacks does a web application firewall protect against? Many, like denial-of-service and distributed denial-of-service attacks; sensitive data leakage; malicious bots that are mimicking humans and trying to make a connection to an app; specially crafted or malicious URLs and HTTP requests sent to the app; various types of injections like SQL injection attacks; directory traversal attacks, which is an attempt to try to get into the underlying operating system file system for the web server; buffer overflows.
So, this gives us an idea of some common types of firewalls and the specialized situations where they would best serve.
Managing Windows Defender Firewall
We've discussed the importance of having multiple layers of security, otherwise called defense-in-depth, where each individual layer might not completely prevent or minimize some kind of a security incident but together those layers can help.
And one of those layers is ensuring that every device, where possible, has a software firewall configured appropriately. This is in addition, of course, to having network perimeter firewalls, as we have discussed. So, let’s take a look at how to work with the built-in Windows Defender Firewall.
First thing I'll do here from my start menu in Windows is, I will search for the word threat. And I will then click on Virus & threat protection.
Now, this is Windows Server 2022. Depending on the specific version of the Windows OS that you're using, you might see something a little bit different in terms of the graphical user interface.
So, here we have, of course, malware scanning, a list of any current threats, [Video description begins] The Virus & threat protection page is displayed which has options such as Current threats, Virus & threat protection settings, Virus & threat protection updates, and many more. [Video description ends] update options for it. But this is only of course on the malware side of things, including ransomware protection.
So, I’m going to go to my start menu and this time, I’m going to type in the word defender and then I'll click on Windows Defender Firewall.
So, this is truly where we can specify what traffic should be allowed into or out of this specific individual host. Now, be aware that if you’re working in a public cloud environment, [Video description begins] The Windows Defender Firewall page is displayed with the title Help protect your PC with Windows Defender Firewall under which two options: Private networks and Guest or public networks are found. On the left hand side you have the Control Panel Home with several options underneath. [Video description ends] there might be solutions in that cloud provider environment to set up individual host firewalls.
An example would be a network security group in the Microsoft Azure cloud, which can be associated with a subnet or individual virtual machines by their network interface, in which case, you might not want to manage the individual firewall within the host OS, instead, do it externally at the cloud level.
But here, we’ll do it within the host OS. So, we can configure firewall rules for the type of network that the device is connected to, like a private network versus a more open guest or public network. [Video description begins] The Turn Windows Defender Firewall on or off option found on the left hand side is clicked. [Video description ends]
We can turn Windows Defender Firewall on or off for those types of networks, [Video description begins] The page with the title Customize settings for each type of network is displayed with two main options: Private network settings and Public network settings with each having several options under them. [Video description ends] or we can elect to block everything, including even what we've configured to be allowed. This would be a master switch, so to speak, to just not allow anything in. And of course, you can be notified if Defender blocks something from trying to come in. However, I don’t want to turn Windows Defender off, it’s already on. I do want to click advanced settings because when I do that I get a different interface. And I’ll just maximize it. [Video description begins] The Windows Defender Firewall with Advanced Security page is displayed having the main title as Windows Defender Firewall with Advanced Security on Local Computer under which there are several options. On the left hand side few options such as Inbound Rules, Outbound Rules, Connection Security Rules, and Monitoring are found. [Video description ends]
So, here on the left, I’ve got my Inbound Rules. These are like layer 4 firewall types of rules where we can specify port [Video description begins] Several Inbound Rules are listed categorized under the titles: Name, Group, Profile, Enabled, Action, Override, Program, and Local Address. [Video description ends] numbers, protocols; you can specify specific programs on the computer, for example, that should be able to send outbound traffic.
Let's say, for example, we are going to have a web server running on this host. It doesn’t matter if it’s the Microsoft IIS web server or some third-party type of web server. But I want to make a rule that allows inbound traffic for HTTPS.
So, for Inbound Rules, I would right click, choose New Rule. [Video description begins] The New Inbound Rule Wizard page is displayed with the title, Rule Type, having the options: Program, Port, Predefined, and Custom. [Video description ends] The rule can be based on a specific program, a port number, predefined, or custom. If I choose predefined, notice from the list, I’ve got common everyday type of network communication things specific to a Windows network, of course, but I’m going to go ahead and select port in this case, and I’ll choose next. [Video description begins] Two options are displayed. The first option is Does this rule apply to TCP or UDP? and the second option is Does this rule apply to all local ports or specific local ports? [Video description ends]
Now, does the rule apply to TCP or UDP? Well, for HTTPS traffic it’s going to be TCP and we can specify a port number. The default HTTPS port number for secured connections is 443. That’s what we want to allow to this host. This is an inbound rule. Remember that we are in the midst of creating; next, we want to allow [Video description begins] Three options: Allow the connection, Allow the connection if it is secure, and Block the connection are displayed under the question: What action should be taken when a connection matches the specified conditions? [Video description ends] the connection, we don’t want to block it.
If you allow the connection if it is secure, that’s when you start getting into making sure you have IPsec encrypted network communications. That doesn’t apply here. So, I’ll just leave it on the default to allow the connection. Next, [Video description begins] Three options: Domain, Private, and Public are displayed under the question, When does this rule apply? [Video description ends] These are the different network profiles we can have this rule applied to. I’m going to turn that off for the public. Now, you won’t be taking Windows servers into a public environment, but imagine that this is a client Windows OS on a laptop that the user might travel with for work and connect to public Wi-Fi hotspots.
Now, it would be more, of course, based on a software developer if there's a web server stack, because why would a regular user have a web server running it? That would be odd. So at any rate, I’m just going to go ahead and click next. The name: Allow Incoming HTTPS. [Video description begins] Two options: Name and Description which is optional are displayed. [Video description ends]
We can put in a more detailed description, but that's optional. I'll forgo that and I will click finish. [Video description begins] Again the page containing the list of Inbound Rules is displayed. [Video description ends] And so, we now have, at the top of the list because it starts with the letter A, Allow Incoming HTTPS.
But when you go back and modify that firewall rule, you have other options that weren't presented during the wizard, [Video description begins] A popup window titled, Allow Incoming HTTPS Properties is displayed with options: Protocols and Ports, Scope, Advanced, Local Principals, and Remote Users. [Video description ends] such as, determining that only connections from certain specific computers are allowed to connect to this host for HTTPS. Same goes with users.
You can specify specific users that must be signed in with their accounts. And this really works well in an Active Directory Domain where you’ve got computers joined to the domain, the account list, of course, would be central; the computers would be joined to the domain. So, you can also specify that. Under the scope tab, you can specify IP addresses or ranges from which connections should be allowed. And yes, it’s easy to spoof IPs. It’s just another layer of security and defense-in-depth.
Now, we can do precisely the same thing with Outbound Rules as well, if we want to limit what traffic is allowed leaving this system. [Video description begins] A list of Outbound Rules are displayed categorized under: Name, Group, Profile, Enabled, Action, Override, Program, and Local Address. [Video description ends]
Now, we’re doing this on a single Windows host. In a larger environment where you might have an Active Directory Domain and computers are joined to that domain, you could do the exact same type of configuration, but not in this interface; instead, through group policy and that group policy setting for inbound and outbound firewall rules could apply to some or all computers in the domain through a single configuration.
Managing a Linux Firewall
So, the first thing I’ll do here is type sudo ufw that’s uncomplicated firewall status Do we have it installed? Is it up and running? What is its state? Notice currently it says it’s inactive.
Okay, so, before we turn it on, let's make sure that we will have the appropriate allowances to allow traffic in.
For example, if you are SSHed into a Linux host to get to this command prompt in the first place and you cut yourself off, then that could be a problem. Getting back to it would be blocked potentially by the uncomplicated firewall.
So, I’m going to run sudo ufw allow 22 that will allow traffic to TCP port 22 from anywhere. In the same way, we could also do sudo ufw allow 443 if we were hosting a web server.
If you want to be specific, you could also issue commands such as sudo ufw allow let’s say, we want to allow Linux log forwarding on port 514 but for UDP so /udp you can specify the transport or the protocol if you really want to.
We can also block traffic from specific IPs or even entire subnets.
We’ll do a subnet here sudo ufw deny from, and then I’ll specify the subnet address using CIDR notation. So, for example, /24 to indicate that there are 24 bits in the subnet mask. [Video description begins] The subnet address with the CIDR notation is 203.0.114.0/24 [Video description ends]
It returns Rules updated. So, let’s go ahead now and run sudo ufw enable [Video description begins] The command clear is given. [Video description ends] It says this might disrupt existing ssh connections. Well, we know we have an allowance for SSH that is configured correctly. Proceed with the operation (yIn)? I'll type in the letter y for yes and I'll press enter. Okay.
Firewall is active and enabled on system startup. So, that means then if we were to go to sudo ufw status last time it returned [Video description begins] The command clear is given. [Video description ends] just a status of inactive, but now it returns a status of active and our rules are shown. Notice for example, our port 22 rule to ALLOW from Anywhere.
Also, notice our DENY rule from our CIDR notation subnet going to Anywhere we’re [Video description begins] The CIDR notation subnet address 203.0.114.0/24 is highlighted. [Video description ends] blocking it. Notice our remote syslog 514 over udp allowance and of course 443 for HTTPS. Now, what’s interesting about this too, let’s just clear the screen.
Let's use the up arrow key, bring that command up again. But I’m going to add to the end of it numbered [Video description begins] The command sudo ufw status is brought back adding the command numbered. [Video description ends] As you might guess, that puts a number for each rule which can facilitate management such as the removal or deletion of rules from the ruleset.
Let’s say, we will not be hosting a web server on this host and therefore we want to remove the rule for 443. So, we can do that sudo ufw delete and then we can simply put in the number. In this case, number 2 is the rule for HTTPS.
It asks us to Proceed with the operation. I’ll type in the letter y for yes. Okay. Rule deleted it says. Let’s clear the screen sudo ufw status notice the absence of our port 443 rule. We still have the one for IPv6 but the first rule was for IPv4 and it has successfully been removed.
Let's do another example. Let's run sudo apt install apache2 to install the Apache web server. So, it says apache2 is already installed and it’s the newest version. [Video description begins] The command clear is given. [Video description ends] When you install some packages, in this case the apache2 web server, it also allows you to work with rules based on the app type.
Here’s what I mean by that. If I were to run sudo ufw app list notice it says Available applications: We’ve got OpenSSH and we’ve also got Apache Apache Full and also Apache Secure to allow only very limited access.
Now, the Apache items are there only because the Apache web server is installed, just like the OpenSSH app firewall option is shown in this list because OpenSSH is installed.
So, we could do for example sudo ufw allow and in single quotes I’ll put in ‘Apache’ okay. It looks like the rule has been added, so, we should be able to do sudo ufw status [Video description begins] The command clear is given. [Video description ends] let’s put in numbers so we get the numbers to the left.
Notice that Apache has been added here for IPv4 even though it doesn’t say v4, but it’s implied. And Apache is also added here for IPv6 which is shown in parentheses with (v6) so, we could run sudo ufw delete we could use the numbers because we talked about how to do that, but we can also use the name in this case and I'll put in allow and ‘Apache’ in quotes. Okay. Rule deleted for IPv4 and IPv6, of course. [Video description begins] The command clear is given. [Video description ends]
Let's check our work with the up arrow key. We’ll go back up to our ufw status numbered command. And of course, Apache is now gone.
So there are a couple of ways then that you can refer to allowances or denials for the uncomplicated firewall. Of course, using the names will depend on the packages that are installed.
Finally, if we don't want the uncomplicated firewall running, we could run sudo ufw disable Now, this is never recommended unless you have another firewall solution that you will be using. And you might be doing that at the cloud level as we’ve discussed in the past; where you might have in the Microsoft Azure cloud, let’s say, a network security group, which is a list of firewall allowances and denials that apply to one or more hosts, in which case, maybe you don’t need to go to this granular level to configure a firewall. But either way, having host firewalls applied is absolutely crucial in securing a network.
Managing Cloud Firewalls
There are plenty of different options for firewalling in various cloud environments. For example, in the Microsoft Azure cloud, we've got solutions like the Azure Firewall, which can even be a centralized solution that gets deployed across multiple resources. But we can get a bit more granular also and work with network security groups. Here in the Azure portal, [Video description begins] The Microsoft Azure portal is opened with the title: Azure services. There are several options under this title including, Create a resource, Resource groups, All resources, etc. [Video description ends] I’m going to go into the All resources view, where currently Type equals all. [Video description begins] The instructor points to the Type equals all options. [Video description ends]
So, in other words, we’re looking at all deployed resources in the Azure cloud. I only want to see network security groups right now. So, therefore, I can click right on Type equals all. We can filter it out. [Video description begins] A popup window titled Type is opened. It has two options: Operator and Value. And there are several options under the option Value. [Video description ends] If I scroll down to the ends, there's a network security group of which we have 9. It shows 9 in parentheses. I’ll turn on the checkmark just for that and click apply.
So, all we’re looking at now are network security groups, often just referred to or abbreviated as NSGs. [Video description begins] The option under the Name category in the All resources page called Ubuntu1-nsg is clicked. [Video description ends]
If I were to click on a particular network security group, notably, [Video description begins] The network security group: Ubuntu1-nsg page is displayed. [Video description ends] it has inbound rules that are either set to allow certain types of traffic or deny it. And the same goes for outbound; so, traffic leaving a virtual machine not just coming into it.
But what's interesting about network security groups is they can be associated with specific network interfaces, which really translates to being associated with specific virtual machines. [Video description begins] The Network interfaces option is clicked under the network security group: Ubuntu1-nsg page. The main section of this page displays options: Name, Public IP address, Private IP address, and Virtual machine. [Video description ends]
So then, it kind of becomes a cloud-based solution, external to the host operating system then, in terms of a layer 4 firewall, that’s really what it is. And that’s why we say, you might not need to configure the host-based firewall within the guest operating system if you have this kind of an environment, although you certainly can and you can even do both, which can get confusing though, in my experience.
Now, other than the network interface, we can also link a network security group to an entire subnet which contains many virtual machines that have the same inbound and outbound firewall rule needs. [Video description begins] The Subnets option is clicked in the Ubuntu1-nsg page and the subnets page is displayed where on the main section the categories: Name, Address range and Virtual network are found. [Video description ends] That's very interesting as well.
So, let’s go ahead and create one from scratch and apply it. So, back at the portal home page, I’m going to click Create a resource. I will search for a network security group. I’ll choose it. And then, I’ll select the Network security group from Microsoft and then create. It will be created within a subscription. [Video description begins] The Microsoft Azure Create network security group page is displayed where in the Basics option you have two main fields: Project details and Instance details. The Project details field lists: Subscription and Resource group. And the Instance details field lists: Name and Region. [Video description ends] Well, you need a subscription in Microsoft Azure to deploy anything. I’ll deploy it into a resource group called East. And I’m going to call this LinuxNSG, Linux Network Security Group. I could then add tags or metadata values, but I won't do that. So, on the review and create page, I’ll just click Create.
But we've only created the network security group. We have to then think about the rules within it; the inbound rules and the outbound rules and the association to network interfaces or subnets. The deployment is complete, so I can go into the properties of our new network security group, right from here, by clicking the go to resource button. In it, let’s go into inbound security rules.
Now, this is a Linux network security group. We’ve got some default rules here, so to allow Vnet or virtual network inbound traffic from other virtual networks. So, the source is virtual network, destination is virtual network, any protocol, any port; same with load balancers. But then after that, we deny all inbound traffic that doesn't meet those. So, for example, traffic initiated from the Internet would be denied access into either a virtual machine or a subnet protected by this network security group. But we haven't set the association yet. [Video description begins] The Add button on the LinuxNSG Inbound security rules page is clicked. [Video description ends]
I'm going to click Add because I want to add a rule here for SSH. [Video description begins] A popup window titled Add inbound security rule is displayed. It has 10 options: Source, Source port ranges, Destination, Service, Destination port ranges, Protocol, Action, Priority, Name, and Description. [Video description ends] So, I’m going to specify an IP address. But notice, I could use my current IP from which I am managing this from; I could use a Service Tag which specifies a type of configuration, like whether it’s a LoadBalancer or whether it’s ServiceBus used by software developers. But in this case, I can also use an Application security group, which is a way to essentially link different components together, that working together, comprises a single application.
I’m going to choose IP Addresses where I can specify a range. So, I’m going to use CIDR notation to specify a range from which I want to allow SSH traffic; any source port; the destination I could specify with IP Addresses, Service Tags, Application security group. But I’m going to leave it on Any because I’m going to let that be handled by the association to either virtual machine network interfaces or subnets.
The service, well, I can simply choose SSH here, which really means TCP port 22. The action will be to Allow. I don’t want to deny it. The priority here is important because these rules in the background have priorities and the rules are evaluated in the priority order, which means that rule 100 gets checked before rule 65000. So, if there’s a match with rule 100, in other words, if it’s a SSH traffic coming in, this rule would apply and no further rule processing takes place.
So, it’s already generated a name here AllowCidrBlockSSHInbound. That's great. No problem. I like it. I’ll click Add and we’ve now got our new allow rule for SSH. [Video description begins] Again the LinuxNSG Inbound security rules page is displayed. [Video description ends]
But we have to remember what that applies to. If we go to network interfaces over here on the left, we can click the Associate button at the top in the middle, [Video description begins] A popup window titled Associate network interface is displayed with the option Network interface associations. [Video description ends] and from here we can select network interfaces that aren't already associated with the network security group. In other words, specific virtual machines are really what that is.
But we could also go to subnets and in the same way, click the Associate button at the top to associate this with a specific subnet. [Video description begins] A popup window titled Associate subnet is displayed with the options: Virtual network and Subnet. [Video description ends] When we do this, it means that all virtual machines in the subnet will be affected by the rules within this network security group. In other words, SSH would be allowed in this particular case.
Proxy Servers
A proxy server can either be a specialized hardware appliance that is designed for network security and would include proxy options or it could be a software type of firewall solution where you might install proxy server software on a host that has two or more network cards installed in it; whether it's a physical server or a virtual server, it doesn't make a difference.
But there are forward proxies and there are reverse proxies. So, we need to define exactly how those work, to know when to use which of the two.
Proxy servers are known as OSI layer 7 firewall devices; the application layer of the OSI model. This is because not only can a proxy server examine packet headers, but the proxy server can also examine the packet payload, the data, which is what pushes it up to layer 7.
So a proxy server, as we've mentioned, is configured with two or more network interfaces. The reason for this is that one network interface would normally connect to an internal network, whereas the second network interface connects to an external, such as a public facing or Internet connected network.
Technicians need to disable IP routing on the proxy device. We don’t want routing to occur at the IP level between network interfaces because at the IP level layer 3, there is no authentication.
The whole point of a proxy server is we want to at least have the option of forcing people to authenticate before the proxy server will go out and get content on their behalf. Now, I’m really talking about a forward proxy, but that’s the most common form.
So, a proxy server can fetch content for users and it can cache that fetched content to speed up subsequent requests for that same content. Have you ever been to a public Wi-Fi hotspot, such as at a coffee shop in a public space of some kind, where you can connect to the Wi-Fi network? But until you either sign in or accept the terms of use, you cannot get to the Internet. So, you’ve got an IP level connection, but you can't get through the proxy server. And that's because IP routing should be disabled on the proxy and it requires you to either agree to terms of use or sign in.
So, forward or transparent proxies: now, those are not the same thing necessarily. A forward proxy as per our diagram means that we have internal clients that request Internet content from the proxy server. Now, of course, to the end user, they don't know that. All they know is they’re trying to get to something on the Internet. But in the background, that request is being sent to the proxy server, which goes out and fetches it from Internet content servers. As we know, the proxy might be configured to cache that content.
Now, transparent proxy: a transparent proxy means that there is no special proxy software or configuration done in any way on the client. Well then, how does it know who the proxy server is? It's the default gateway of that client. Normally the default gateway in your TCP/IP settings points to your router, your way out. Well, that's also true with the transparent forward proxy.
However, as I’ve mentioned, a forward and transparent proxy, those are not synonyms, because you could be using a forward proxy server, but if it's not configured on the client as a transparent proxy through the default gateway, it means you install some kind of proxy client software or use the built in OS configuration settings to point to the proxy in those settings. So, there are a couple of variations on that.
Now, what’s the benefit of doing this? Sounds like a lot of work. You're protecting the true identity of internal clients, for starters. Secondly, the proxy server can regulate who gets out to the Internet; who does not. It can even enforce user sign in, time of day allowances for certain content. It might use whitelists for traffic or sites that are allowed to be visited versus blacklists for known malicious DNS domains or sites. So, there’s a lot you can do in a proxy, way beyond what you could through a simple router or a NAT forwarder.
So, as we know, a proxy server can be configured to require user login, unlike a standard router which has no concept of that because it only runs at layer 3 of the OSI model; proxy is applied at layer 7.
We said it can enforce date and time restrictions on certain types of content, for example, allowing users to access social media only during lunch break.
And we know, it can use, allow or deny URL lists.
But a reverse proxy is also an important type of configuration. As it implies, it’s the opposite of what we talked about with the forward. But that’s not enough. We have to go through some details. In this example in our diagram, notice on the far right, what we have is a back-end HTTP server. Let’s say that that’s a public website hosted on that back-end server. Now, the reason we’re calling it a back-end server is because it’s on the same network as the private network interface for the proxy server. It is not connected directly to the Internet or anything like that.
But the proxy server would have a second network interface, that’s the left part of our diagram where external clients such as on the Internet could make connection requests to the HTTP website. So, the external clients think the web server is the proxy server as far as they know it is. But in reality, when that connection request gets to the proxy, the proxy in turn hands it off to an internal back-end HTTP server.
All of the features we’ve talked about like, requiring user login at the proxy level; date and time restrictions; and so on, apply to reverse proxies, as they do to forward. But there's no concept with a reverse proxy of a transparent proxy or configuring proxy client software as there would be with forward proxies.
The placement of the proxy server, of course, is always going to be relevant as it would be with any type of firewall solution. And a proxy server is a form or a type of firewall.
In our diagram, in the bottom left, we’ve got the internal network; we have the Internet on the far right. Now the idea is, our firewall appliance could also be configured as a reverse proxy, or the reverse proxy could be a separate host. Either configuration would be valid. But what we could do is have requests for our screened subnet services. So, a WWW or a web server, an SMTP mail server, a DNS query server. Those would be on the screened subnet because we want them publicly reachable.
But we could add a reverse proxy to add another layer of security, so the clients would be connecting to the reverse proxy; they would know that, which in turn would make the back-end connection to those servers.
Deploying the Squid Proxy Server
So, we’re going to be configuring this as a forward proxy, which means that internal clients on a protected network can request Internet content that will be fetched by the intermediary forward proxy server. That means that either the proxy server is also the same IP as the default gateway or transparent proxy, or we just configure the identity of the proxy on client devices such as the IP address of the DNS name and the proxy listening port number.
The benefit here is we are hiding the true internal identity of clients, and so clients are never really going out and touching anything on the Internet, the proxy server is. [Video description begins] A page with the main command: cblackwell@Ubuntu2:~$ is displayed. [Video description ends]
The first thing I'll do here is run sudo apt update to make sure my package repository listings are up-to-date; I want to make sure I’m installing the latest version of the Squid proxy server here on Ubuntu Linux. [Video description begins] The clear command is given. [Video description ends]
So, then I can run sudo apt install squid It asks Do you want to continue? It's going to need a little bit of disk space. Of course, we want to do this so I’ll type in the letter y and I’ll press enter. It’s pretty small. So you won’t be waiting very long for squid to get installed. [Video description begins] The clear command is given. [Video description ends]
The next thing we’ll do is take a peek at the configuration file. So sudo nano we will use the nano text editor /etc/squid/ squid.conf Now, this is a pretty big configuration file. There’s a lot of stuff in here. So, there’s a little mention here of the documentation and that’s always important unless you work with Squid all the time and you've committed most of the settings to memory.
Either way, as I keep going down through here, notice that we've got a lot of things that are commented out. They might be shown here because they are a default setting.
But we can press control W to search for something specific, if we have a sense of what we want to look for. I’m going to look for http_ access as I know, this is a setting that is important here. So, I’ll come across this statement for http_access allow localhost which means that from the proxy server itself it will be able to make connections out to the Internet.
We can also allow our local network http_access allow localnet which is commented out. I can remove the hashtag or the pound symbol to turn that on, to allow browsing through the proxy server from anywhere on the local network that the Squid proxy is on. We'll take a look at that in a minute.
If I do a search, to do a search for http_port we’d come across the default listening port number for the Squid proxy 3128. We need to know this so that if we are configuring clients to go through the proxy server, we know the port number. We would also need to know the IP address of course, or the DNS name.
Further down, I will come across entries starting with acl localnet Here we can define our specific local network range that we are using, the default private reserved IP addressing such as the 10s, the 172s, the 192s are here, as well as some standard local network addresses in terms of prefixes for IPv6. So remember, we are allowing browsing through the forward proxy from localnet. Well, here are the various definitions of what that is.
All right, I’ll press Control X, save modified buffer y for yes and we'll save that file. [Video description begins] The clear command is given. [Video description ends]
Let’s now run sudo ufw app list Because we’ve installed the Squid proxy server, it will show up here as a configurable item by name for the firewall, [Video description begins] The name Squid is highlighted. [Video description ends] the uncomplicated firewall.
So, if I’m not using any other firewall solutions for this host, I could use the uncomplicated firewall where I could run things like sudo ufw allow and in single quotes ‘Squid’ So, we want to allow traffic to port 3128 in other words.
We could also then run sudo service squid status Is the squid server up and running or is it not? We know that if it is running, it will be and it is active and running; it will be listening on port 3128. I’ll press Q to get out of there, so we know squid is up and running. Now, here at the Squid server, [Video description begins] The clear command is given. [Video description ends] I can run ip a to get its IP address, in this case 10.0.0.10 Remember, this is going to be important from a client configuration standpoint along with port 3128. [Video description begins] The command clear is given. [Video description ends]
Now, let’s go and test this out. I’m doing it from the same server, from the Squid proxy itself. But I could also do it from another host, on one of the listed allowed networks.
The way I’m going to test this is by using the curl command to reach out and try to access a URL, but I’m going to use --proxy as a parameter and for the value of that parameter, I will put localhost because I am at the server :3127 We know this is incorrect. The true port is 3128. What I would like us to see is both, what happens when we try to go through a nonexistent proxy and then see that it works correctly when we have the right address.
And then, we’ll just try to open up, let’s say www.google.com So, go through the proxy, open up the Google web page enter Of course, it’s going to say Failed to connect There is nothing listening on localhost port 3127 so Connection refused Perfect. That's great. Let's bring that same command back up with the up arrow key in our command history.
But let's change 3127 to the correct port. Let’s put in 3128 because we know that’s what Squid is listening on by default. [Video description begins] The command curl --proxy localhost:3128 www.google.com is newly brought in. [Video description ends] Now, let’s try to get to Google by going through the proxy. Oh yeah, this looks great already. If we kind of scroll back up to the returned HTTP output; so, this is all HTML, notice that we have indeed successfully connected to the Google homepage through the forward proxy server, in this case, through Squid.
Intrusion Detection and Prevention
And one important aspect of that is detection. This is such a big deal, which leads us into incident response.
So, detecting intrusions; in order for this to happen in a timely fashion, in other words, we need to be able to detect things ideally before they become network breaches or sensitive data breaches of some kind on a host. So, we need a way to centrally ingest and analyze data.
Now, that data would be, network traffic from various network segments; log events, for a host operating systems and apps running on those hosts. But we need to filter out the noise. You can't just have everything sent to technicians and expect them to manually go through it. It's not realistic on a larger scale.
So, we need to configure our ingestion and analysis tools to reduce false positives. Now, the tools we’re talking about are like SIEM Tools, SIEM; centralized threat hunting types of tools. And you can configure these types of tools such that you determine what constitutes an alarm worthy of notifying technicians or invoking an automated incident response, maybe through a playbook.
So, these tools will seek out indicators of compromise before they become big problems. But often that will require a level of configuration by technicians initially to determine what is a normal baseline of network performance, host performance, whatever the case is, in the given environment; that’s going to be unique.
Now, intrusion detection can happen at the host level with host-based intrusion detection; it’s specific normally to activity on a host, whether it’s mail messaging, whether it’s app usage. So, phishing campaigns can be detected potentially, malware can be detected even from the insertion of removable media, or that might even be completely prohibited.
Even physical access to a device in some cases can be detected if things are tampered with, such as storage appliances.
Software vulnerabilities can be discovered at the host level through periodic vulnerability scans.
At the network level, intrusion detection might take a peek at unauthorized network access. Well, to know what's unauthorized, we first have to define what is authorized. You can't define abnormal until you know what normal is.
So, the baseline thing again, intrusion detection can most certainly, easily detect that there are port scans occurring over the network, especially, if they’re incremental port scans going through common port numbers, whether it's from the outside or whether that stems from internally, that might not be normal on a given network.
Intrusion detection could even involve the detection of devices that weren't on the network previously, like rogue wireless access points or APs; whether that’s been put in place by a malicious user, or an employee simply decided they were going to plug-in an extra Wi-Fi router they have for their office area. Either way, it's a security problem.
So, therefore, an intrusion detection system, an IDS can be host-based, where it’s called an HIDS, which might include features such as file integrity monitoring, to detect tampering; app and user behavior analytics to determine what's abnormal or suspicious.
Network-based intrusion detection systems are called NIDS, which will include different sensors, which can be software agents running on different hosts throughout the network, or they can be dedicated physical devices that plug into the network; analyzing network traffic, looking for suspicious activity; even using a wireless intrusion detection system, or a WIDS looking for suspicious activity when connecting to a wireless network. So, that’s intrusion detection.
Intrusion prevention systems or IPSes have the same capabilities as intrusion detection systems in their host and network forms, but they can also additionally take steps to block attacks such as, blocking specific DNS names or blocking IP addresses to prevent connections from certain hosts or locations; also supporting things like blackhole routing.
So, if it appears that there’s some kind of a distributed denial-of-service attack, routing that traffic such that it gets discarded almost immediately, such as incrementing the time-to-live, the TTL field in the IP header to its max value.
Pictured on the screen, we have a screenshot of a sample Snort IDS rule configuration. [Video description begins] A screenshot is displayed on top, far left GNU nano 5.3 And in the center the following fields are indicated /etc/snort/rules/local.rules* [Video description ends] We’ll be looking at Snort in a demo later. But Snort is a free open-source intrusion detection tool that runs on multiple platforms. Here, it’s running on Linux and we’re looking at a Snort rule file where we will get an alert if there is ICMP traffic from any location going to our home network; we're going to generate a message that says testing ICMP.
Now this, of course, might be something that gets forwarded to a central logging or threat hunting tool. It would just be yet another data source to feed into those types of systems.
Finally, we have a diagram for intrusion detection and prevention so that we can think about placement. In the bottom left, we’ve got an internal potential target machine on an internal network. Now, technicians on that internal network might configure a switch port that they are plugged into, to copy all switch port traffic, so they could run network analysis tools and see all traffic on the switch, not just their own, which is the default behavior.
Now, an attacker out on the Internet, to the far upper right of our diagram, might be able to infiltrate through the exterior firewall to the screened subnet and beyond that, even to the interior firewall. This is where we might have a network-based intrusion detection system or a NIDS with alert notifications configured, so that, if we have traffic that appears to have initiated from the Internet and by correlating various logged events, over a short period of time, we might determine that indeed it is a connection that started from the outside, then we might be able to notify technicians or if it's an intrusion prevention system, take steps to block it from further infiltration.
Configuring the Snort IDS
So, an intrusion detection system of course, is designed to be listening to whatever it's configured to listen to, such as a particular network segment, looking for suspicious activity.
Snort has thousands upon thousands of suspicious type activity it can detect on the network through configured files. There are community files that you can download with all these updated suspicious things to look for on the network that might indicate a distributed denial-of-service attack or anything.
The first thing I'll do here [Video description begins] A page with the main command cblackwell@Ubuntu2:~$ is displayed. [Video description ends] on Ubuntu Linux is to make sure with sudo apt update that my package repository lists are updated. You always want to do that before you install something. [Video description begins] The clear command is given. [Video description ends]
And then, I’m going to run sudo apt install snort. I know that the package is called Snort. It’s asking me Do you want to continue? Of course, we do. So, I’ll type in the letter y for yes and we’ll get Snort installed here. [Video description begins] A page titled Configuring snort is displayed. [Video description ends]
Here, there’s a message about which network interfaces we can use for Snort; even having a network interface that doesn’t have IP configured but is configured in promiscuous mode, which means, it’s listening to everything on the network.
Now, in a network switched environment, you want to make sure that the network switch port that the Snort host is connected to, is configured with port mirroring, meaning, all traffic and all other switch ports is being copied to this one, so, Snort can see it all; or in the cloud, make sure, you place this correctly, so it sees all network traffic, perhaps as being part of the route out to the Internet.
I’ll just tab down to okay and press enter. It asks the Interface (s) on which Snort should listen on: It detected ethernet0 eth0 So, that’s fine.
So, after specifying the eth0 interface, Snort is now configured. Here, in my web browser, I’ve navigated to snort.org [Video description begins] The snort.org page is displayed with several navigation buttons on the top that includes Documents, Downloads, Products, Community, and more. On the left hand side of the page three options are found: Get Started, Download Rules, Documents. [Video description ends] where one of the important options here is the ability to download rule files. [Video description begins] The Download Rules option is clicked which brings to the page titled Rules. On the top of this page these options are found: Community, Registered, Subscription. Under the Community field these options are listed: Snort v3.0, Documentation, and more. [Video description ends]
So, the Snort v3.0 community rules file; we can download this, extract it, and then put the files in the correct place. [Video description begins] The URL snort3-community-rules.tar.gz is highlighted. [Video description ends] By the way, what is that correct place? Let's go take a look.
I’m going to type change directory cd /etc/snort/rules And, I’ll clear the screen and type ls
Notice we have a number of community rules here, checking for things like bots that would be infected computers that are talking to a command and control server, denial-of-service, exploits, weird ftp activity, checking for any access to pornography on a network, checking for indicators of viruses on the network, or web attacks.
This is absolute gold. Just for fun, let’s take a look at the community-bot.rules file. Let’s, open that up in nano sudo nano community-bot.rules
If we look through one of those alert rules, it's looking for content in a transmission that would include things like bot.execute or bot.nick and so on. I'll press Ctrl X to get out of there.
Let’s take a look at another one. Maybe not community-bot how about virus.rules In the detail, it’s looking for suspicious file names as content that are being sent. And if we go back and look at the beginning of the rule, this is traffic destined for an external network on port number 25, which is SMTP. So, you can customize these rules, download community rules; there are some installed by default, but it's an important notion to be aware of when it comes to working with Snort. Control X to get out of there.
I’m now going to run sudo nano/etc/snort/rules and I’m going to go into a file called local.rules where I can configure my own rules. Here, I’ve added a line that says alert icmp so we’re looking at the internet control message protocol. This is going to be traffic from anywhere from any port destined for the value of our home net. We can look at the global Snort file to define that for any port number. And basically, if it's ICMP traffic, we’re just going to report a test message that says Testing ICMP So, I’ll press Control X to get out of there and I’ll save it. [Video description begins] The command clear is given. [Video description ends]
The next thing I can do is test my rule configuration with sudo snort -T for test and -c where I’m going to tell it my main config file is /etc/snort/snort.conf That's where you would define variables such as home net and their values.
I'll press enter. Okay. Snort successfully validated our configuration. Excellent. So, now we can run it for real. We would do that by running [Video description begins] The command clear is given. [Video description ends] sudo snort-A one output to go to the console, that’s the local screen here on my Linux host -i for interface let’s say will be eth0 -c for config, of course, the config file /etc/snort/snort.conf enter.
Okay, it’s running. So, as we get traffic related to what any of those rule files identifies as being suspicious, it will be shown here and of course ultimately logged.
The power with intrusion detection configurations like this also comes from, having all of this logged information sent to a central logging host, to a SIEM system which is designed for further analysis and perhaps even automated incident response.