InfoSec

Firewalls: Rules? A Guide with Examples

Rules are meant to be broken… as long as it’s not my rules

Signs representing a lot of rules

Introduction

Previously, we’ve talked about what firewalls are and what types of firewalls exist. This time, I want to dig into what kinds of rules these firewalls have that make them work as the last post in my Firewall miniseries.


Basic Firewall Rules and Configurations

For some of these rules examples, I’m going to include one way to declare each rule using iptables, which is available as a very simple host-based firewall on Linux system. (The Wikipedia summary is that iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules). I chose to use examples this way because it is indicative of the general thought process that is used to create these kinds of rules, even if the syntax can vary. This isn’t an iptables tutorial and a total and proper implementation for each example might contain other commands, as well.

Other examples are more complicated and aren’t really suited for iptables and I give some simplified examples for other products in the marketplace that meet the challenge.

IP Address-Based Rules

  • Example Rule: Deny all traffic from external IP 142.250.189.174 to any IP within the network.
  • Use Case: This rule is useful when you want to block specific external threats known by their IP addresses.
  • Simple Implementation: sudo iptables -A INPUT -s 142.250.189.174 -j DROP
  • Implementation Explanation: sudo executes the command as a super user (Administrative permissions). iptables is the Linux command utility program. -A INPUT explains that this is a rule for inbound packets. -s 142.250.189.174 means that this rule applies to packets coming from the source (the -s) of 142.250.189.174. -j DROP means that the result will jump (-j) to the DROP action, meaning the packet will not be passed along to the rest of the system.

Port-Based Rules

  • Example Rule: Allow TCP traffic only on port 443 (HTTPS).
  • Use Case: Ideal for web servers that should only communicate via web traffic ports.
  • Simple Implementation: sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT && sudo iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT
  • Implementation Explanation: We covered sudo iptables -A INPUT and -j ACCEPT above. The -p tcp means that this rule applies to the protocol (-p) of TCP and destination port (–dport) of 443. && just allows us to put two Linux commands in one line. Then the only difference in the second command is that we’re making a rule to allow outbound traffic as well as inbound traffic (-A OUTPUT).

Protocol-Specific Rules

  • Example Rule: Allow ICMP (Internet Control Message Protocol) for internal network devices only.
  • Use Case: Useful for allowing internal network testing and diagnostics while blocking potential external pings or other ICMP-based attacks.
  • Simple Implementation: sudo iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT && iptables -A INPUT -p icmp -j DROP
  • Implementation Explanation: In this case, our source (-s) is given as a subnet. You’d put whatever subnet represents your internal network (this is a shorthand way to represent every possible IP address that can exist on a network). The protocol (-p) is icmp and we will jump (-j) to ACCEPT. Again, we && to put two commands together and then create another rule that drops all other ICMP packets. It is important that these rules are included in this order or else the broad DROP will execute first before the limited ACCEPT rule is considered.

Stateful Inspection Rules

  • Example Rule: Allow outgoing traffic on any port but restrict incoming traffic to responses to established connections only.
  • Use Case: This is common for businesses that want to ensure outbound traffic is unobstructed while maintaining tight control over incoming requests.
  • Simple Implementation: access-list YOUR_ACL_NAME extended permit tcp any any established
  • Implementation Explanation: This rule is using a Cisco ASA, which has stateful firewall capabilities. In this case, this rule assumes you already have an access list (here represented by YOUR_ACL_NAME) and you address the access-list named YOUR_ACL_NAME and extended (rather than standard) will filter traffic on multiple criteria. In this case, we are allowing (permit) tcp traffic from any address to any address as long as it was already established.

Time-Based Rules

  • Example Rule: Blocking all inbound traffic during non-business hours.
  • Use Case: For organizations that want to limit access during off-hours for security purposes.
  • Simple Implementation: It’s complicated 😉
  • Implementation Explanation: There are a few ways to do this. One way is to run cron jobs (scheduled jobs) on your Linux server that add and remove iptables rules at the appropriate times. Other firewalls, like pfSense Plus and OPNsense make it easy through an interface. Here are the steps to do this in OPNsense:
    1. Define a Schedule: First, go to “Firewall” then “Schedules” in OPNsense. Create a new schedule and define the time periods (8 am to 5 pm) and the days of the week (Monday to Friday).
    2. Create Firewall Rule: Next, create a firewall rule under “Firewall” > “Rules” and select the interface where the rule should apply. Configure the rule to match your desired traffic (e.g., set the action to “Pass” for allowing traffic).
    3. Apply the Schedule to the Rule: In the rule settings, you will find an option to apply the schedule. Select the schedule you created in the first step.
    4. Activate and Test the Rule: After saving the rule, it will become active according to the schedule. It’s important to test the rule to ensure it behaves as expected during the specified times.

Configuring Your Firewall

Applying rules in a firewall is often very easy. You can see that the commands aren’t very long and UIs can make even complex rules creatable in a minute. However, defining and configuring your firewall rules correctly is very complicated. It is important that the rules are applied in the right order (“deny all traffic” needs to be the last rule applied, after the few approvals that you add for traffic you want, for instance). It is also important that your rules fit your business and your needs. Certain companies might need to allow traffic over port 22 (ssh). Some of those companies might allow free connections to the port, while others might “IP Whitelist” and only allow certain locations to connect. Other companies might allow the default RDP port of 3389, while other companies that have no Windows Servers would never need that port opened. The team defining these setups must understand the entire organization’s needs in order to lock the network down correctly. It is a razor’s edge: too strict and the company could not function effectively, too permissive and the company could be vulnerable to intrusion by threat actors. But here are the 30,000ft view of the steps that the team would undertake to configure a firewall.

  1. Identifying Network Requirements: Understanding what services and traffic are necessary for your network.
  2. Defining Clear Security Policies: Knowing what your organization’s security policies are in terms of what should be allowed or blocked.
  3. Implementing and Testing Rules: Gradually implementing rules and testing them to ensure they don’t disrupt legitimate traffic.
  4. Regular Updates and Monitoring: Keeping the firewall rules updated according to the evolving network needs and security landscape.

Whew, that’s a lot. If you’re new to this entire idea and reading this from a beginner’s point of view, I hope that I didn’t make this super confusing. I am hoping that by seeing these scenarios and beginning to “think in firewall logic” that you’ll begin to understand more fully the roles that firewalls play and how someone would begin to think about setting them up. It definitely has more in common with “who can come into my clubhouse?” than stupid scenes in movies where say ridiculous statements like “our firewall is at 19%”.

InfoSec

Firewalls: How Many Kinds Can There Be?

A graphic representing different types of firewallsIn the realm of network security, firewalls play a crucial role in protecting our digital assets from various threats. Whether you’re a budding IT professional or just curious about how network security works, it’s essential to understand the different types of firewalls and how they function. This blog aims to demystify these critical security components without oversimplifying or using buzzwords.

What is a Firewall?

We covered this last time, but – as a refresher – at its core a firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Essentially, it acts as a barrier between your internal network and external sources, such as the internet, to block malicious traffic like viruses and hackers.

Types of Firewalls

1. Hardware Firewalls

Hardware firewalls are physical devices that sit between your network and the gateway to the outside world (typically your internet connection). They are especially useful in protecting entire networks. Think of them as a first line of defense; they filter traffic before it reaches individual computers on a network. Examples include broadband routers and enterprise-level devices that offer more robust features.

2. Software Firewalls

Software firewalls, on the other hand, are installed directly on individual computers or servers. They offer more granular control at the device level. This type of firewall is particularly useful for controlling the outgoing traffic, as it can restrict which applications on your computer can access the internet. However, they require more maintenance and are only as secure as the host device.

3. Next-Generation Firewalls (NGFW)

Next-Generation Firewalls are a step above traditional firewalls. They integrate additional features such as encrypted traffic inspection, intrusion prevention systems, and the ability to identify and block sophisticated attacks. NGFWs are more intelligent in their filtering and can make decisions based on applications, users, and content rather than just IP addresses.

4. Web Application Firewalls (WAF)

Web Application Firewalls are specifically designed to protect web applications by monitoring and filtering HTTP traffic between a web application and the Internet. They are particularly effective in preventing web-based attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning.

Choosing the Right Firewall

Selecting the right type of firewall depends on your specific needs:

  • For home networks or small businesses, a hardware firewall, often combined with a software firewall on individual devices, can offer sufficient protection.
  • Larger organizations with more complex needs might opt for NGFWs due to their advanced features and ability to handle larger volumes of traffic.
  • If you’re running a website or web application, a WAF is essential to protect against web-specific attacks.

Conclusion

In today’s landscape, understanding the various types of firewalls is fundamental for anyone interested in network security. From hardware firewalls that protect entire networks to NGFWs and WAFs that offer advanced features for complex and specific needs, the right firewall can act as a formidable barrier against cyber threats. Remember, the effectiveness of a firewall depends not only on its type but also on proper configuration and maintenance. Stay informed and stay secure.

InfoSec

Firewalls: Huh, What?

Image representing a firewall using a lock and circuits. In today’s world, security is more than just locking your doors; it’s about safeguarding your presence online. Firewalls serve as the first line of defense in network security, but what exactly are they, and why are they crucial for both servers and personal devices like laptops and desktops? Let’s delve into the world of firewalls and understand their role in protecting our privacy.

What Are Firewalls?

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. It’s like a bouncer for your network, meticulously checking the credentials of every packet of data that attempts to enter or leave.

Firewalls can be hardware-based, software-based, or a combination of both. Hardware firewalls are physical devices that act as a gate between your network and the outside world, while software firewalls are programs installed on individual devices that control traffic through port numbers and applications.

The Importance of Firewalls on Servers

Servers are the heavy lifters in the realm of computing. They manage, store, and send critical data, making them a prime target for cyber attacks. A firewall on a server acts as the first barrier against these threats. It filters out unauthorized access attempts and malicious traffic that could compromise the server’s integrity. For businesses, this means protecting not just their operational backbone but also their customer data from breaches.

Why Personal Devices Need Firewalls

While servers are like the bank vaults of data, personal devices are the wallets. They may not hold the same quantity of data, but the quality and sensitivity of the information can be just as significant. A firewall on your laptop or desktop is essential because:

  • It protects your device from unauthorized access.
  • It shields your personal information from malicious entities.
  • It helps prevent malware and viruses, which can spread to other devices on the same network.

In simple terms, having a firewall is a basic yet powerful way to ensure that your personal – often sensitive – information remains confidential and intact.

Do Mobile Phones Need Firewalls?

Mobile phones are a unique case. They are constantly connected to the internet and contain a wealth of personal information. Modern smartphones operate with a default set of security measures, including app-based permissions and in-built traffic management, which act like rudimentary firewalls.

However, the question of whether you need an additional firewall for your mobile device depends on your use case. For the average user, the in-built security measures, along with careful app management, should suffice. But for those using their phones as business tools or who store sensitive data, a dedicated mobile firewall app can add an extra layer of security.

To Firewall or Not to Firewall?

The answer is simple: Yes, firewall away. The internet is an open sea of information where data pirates abound. A firewall is your trusty vessel keeping you afloat and away from unwanted boarders. Whether it’s on a server maintaining critical data, a laptop storing your personal memories, or a mobile phone with access to your digital identity, the features of firewalls are an essential component of digital security.

Remember, in the vast digital landscape, a firewall is your best watchdog, standing guard between your secrets and privacy in the ever-evolving threats of the cyber world.

Stay safe, stay secure, and let firewalls be one of the first lines of defense in your digital security.

InfoSec

Information Security Threats: DOS and DDOS

A flood overwhelming a dam
As part of this series on information security, we’ve been talking about the types of threats. We covered types of malware, types of phishing, and today we’re going to cover the types of denial of service attacks.

In our modern world where everything is connected to the Internet, the threat of cyber attacks looms large. Among the most disruptive of these are Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Let’s delve into what these attacks are and how they work.

What is a DoS Attack?

A Denial of Service attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DoS attacks achieve effectiveness by using a single internet-connected device, like one computer, to flood a target with requests until normal traffic is unable to be processed.

The Mechanics Behind a DoS Attack

  1. Exploiting Vulnerabilities: The attacker finds a vulnerability in a target system that can be exploited. This could be as simple as a web server that crashes under too many requests.
  2. Flood of Requests: Once the vulnerability is identified, the attacker sends a large number of requests to the server, more than it can handle. Think of a mailbox that is too stuffed with letters that no new ones can be delivered.
  3. Service Disruption: As a result, the server is unable to handle legitimate requests, leading to denial-of-service to regular users.

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a more complex, powerful version of the DoS attack. Here, the attack is launched from multiple compromised devices, often distributed globally. These networks of compromised devices are known as botnets.

Understanding DDoS Attacks

  1. Building a Botnet: Attackers infect multiple devices with malware, turning them into bots. These devices can range from computers to IoT devices. You might think that you’re safe because “who would want your information?”. The truth is that your computer, computing power, and bandwidth are still a pretty valuable commodity.
  2. Coordinated Attack: The attacker then uses this botnet to send a massive number of requests to the target simultaneously.
  3. Magnified Impact: The distributed nature of this attack makes it more difficult to stop since it comes from multiple sources and can generate more traffic than a single source. Stopping it isn’t as simple as blocking an IP Address or IP Range.

The Implications of DoS and DDoS Attacks

The impact of these attacks can be extensive. Businesses can experience service disruptions, financial losses, and damage to their reputation. In severe cases, critical online services like banking, healthcare, or government services can be affected.

Protecting Against DoS and DDoS Attacks

  • Robust Infrastructure: Organizations should invest in robust server infrastructure that can handle high traffic volumes.
  • Security Measures: Implement security measures like firewalls – including next-generation firewalls (NGFW) – and intrusion detection systems (IDS) to identify and mitigate attacks.
  • Monitor Traffic: Regular monitoring of network traffic can help in early detection of unusual patterns that signify an attack.
  • Response Plan: Have a clear response plan in place to quickly address and mitigate the impact of an attack.

Aside from Ransomware, DoS and DDoS attacks represent some of the most significant threats to network environments today. They are capable of bringing down websites and other services. Understanding these attacks is the first step in defending against them and it is crucial for individuals and organizations alike to be aware of these threats and to take proactive measures to protect their digital assets.

InfoSec

Information Security Threats: Phishing, Whaling, etc

Cartoon Representing PhishingPhishing has become a household term in recent years, and for good reason. There are news stories about it, mandatory corporate training to keep you from falling for it, and it still remains prevalent and a fruitful ways for the “bad guys” to succeed. So what is phishing? Phishing represents a range of techniques used by cybercriminals to deceive individuals into divulging sensitive information. Phishing now comes in many forms. And just like every political scandal gets -gate added as a suffix because of Watergate (Gamergate, Chinagate, Emailgate, Russiagate, etc), each of these forms of phishing gets the -ishing suffix. Clever, right?

Phishing: Your Inbox is the Battleground

The OG, Phishing is the most common form of cyber deceit. It involves sending mass emails that appear to come from reputable sources, such as banks or popular websites, with the goal of stealing sensitive data like login credentials or credit card numbers. These emails often create a sense of urgency, prompting you to act quickly with the hope that you won’t do your due diligence. Typically, the sender will appear to come from a safe domain, but will be just wrong. Some common examples are things like goolge.com instead of google.com or gimletrnedia.com instead of gimletmedia.com. Even if they don’t try to make the email sender look legit, the form you get sent you might be for a domain that is set up with those tactics. Another trick is to have a very long domain like secure.google.com.hacker.co/blah/blah/etc.php and people might only notice the “google.com” portion instead of noticing the actual domain is “hacker.co”. These people will make exact duplicates of a Google, Microsoft, Amazon, or bank login screen and then steal your credentials. Where possible, the smart ones will even pass those credentials on and get you logged into the site so you’re none the wiser.

Protection Tip: Always verify the sender’s email address and be wary of emails that demand immediate action. Legitimate organizations won’t ask for sensitive information via email.

Spear Phishing: Targeted Attacks

Spear phishing is a more targeted version of phishing, so named because the same tactics are used as phishing except that the target is very deliberate. This is the difference between dropping a fishing line in a water to catch “any fish that swims by” vs spear fishing and jabbing a spear into the water to catch “this exact fish”. With Spear Phishing, the attacker personalizes the email to fit the recipient – using your name, job title, or other personal information – making the fraudulent communication seem more credible. Often, these emails might even seem to come from a higher-up in the company and they need you to wire money to a vendor urgently, or review this document immediately (behind a phishing lure).

Protection Tip: Be cautious with the amount of personal information you share online. Regularly update your privacy settings on social media and professional platforms. Open Source Intelligence (OSINT) is the key way that attackers learn this information about you to make it seem like they know you or already are in your organization.

Whaling: Going After the Big Fish

We’re keeping the metaphor going here with Whaling. Traditionally, whaling is done with harpoons (and what are harpoons but basically large spears?!?). Whaling attacks are Spear Phishing attacks that specifically target high-profile individuals like CEOs or CFOs. The emails mimic critical business communications, often involving legal or financial matters, to trick the victim into transferring funds or revealing sensitive corporate information.

Protection Tip: High-ranking individuals should be extra vigilant. Double-check the source of unexpected requests and verify through direct, secure communication channels. If possible, have the IT department put extra protection around the email accounts of key figures. Many business email providers offer this protection (Microsoft Defender for Email offers Priority Account Protection, for instance).

Vishing: The Voice of Deception

Now we’ve stopped being clever and have ventured into the “Russiagate” level of naming and have lost the metaphor and instead heading for the land of portmanteaus. Vishing, or voice phishing, involves phone calls instead of emails. The caller impersonates a trusted authority to extract personal information or financial details. If users aren’t trained well or if your organization doesn’t have the right protocols around verifying a caller, this can be an easy way to get too much information. I’ve done this myself when one of my accounts with a retailer was used without authorization. I called up and couldn’t get an answer, but I was able to get a few things from the phone agent that they didn’t mind sharing. Then I called back and had my original information plus this other information and the person on the other end of the line assumed I was okay to know more about the transaction because I knew so much already, so I must be okay. Attackers especially skilled in building trust and using social manipulation can move mountains this way.

Protection Tip: Be skeptical of unsolicited phone calls. If in doubt, hang up and contact the organization directly using an official number.

Smishing: SMS-Based Scams

Another portmanteau, Smishing is like phishing but carried out through SMS text messages. These messages may contain malicious links or request personal information. You have probably received these recently. USPS wants to tell you you have a package that can’t be delivered. The IRS wants to talk to you about your huge overdue tax bill. Your bank wants to confirm your information. None of this is something that would happen or be communicated this way unexpectedly. Never respond to a text link, but instead go to the actual site and login. Any legitimate messages for you will be there when you arrive. If you’re still in doubt, call the company using a phone number from their verified web page or a trusted directory and confirm the message. Otherwise, you’re asking for trouble.

Protection Tip: Avoid clicking on links in text messages from unknown sources. Install a reputable security app on your phone to filter out potential scams.

In the current world of online threats, knowledge and familiarity is your best defense. By understanding these tactics and adopting cautious online behaviors, you can significantly reduce the risk of falling victim to these increasingly sophisticated scams. Remember, cybersecurity is a continuous process. Regularly updating your software, using strong, unique passwords, and being mindful of the information you share online are crucial steps in protecting yourself and your data.

Stay informed, stay skeptical, and stay safe.