1
00:00:00,600 --> 00:00:01,620
One of the most common

2
00:00:01,620 --> 00:00:04,800
network security devices out there is a firewall.

3
00:00:04,800 --> 00:00:06,450
Now, we've talked about firewalls briefly

4
00:00:06,450 --> 00:00:08,550
up to this point, but in this video,

5
00:00:08,550 --> 00:00:10,680
we're really going to dive deeper into firewalls

6
00:00:10,680 --> 00:00:12,270
to really understand the type of firewalls

7
00:00:12,270 --> 00:00:14,490
that are out there and how they operate.

8
00:00:14,490 --> 00:00:17,250
Now, when we look at firewalls, they use a set of rules

9
00:00:17,250 --> 00:00:19,740
to define the types of traffic that's going to be permitted

10
00:00:19,740 --> 00:00:21,810
or denied through that device.

11
00:00:21,810 --> 00:00:24,270
They basically act as a barrier to our networks.

12
00:00:24,270 --> 00:00:26,970
These can be either software-based or hardware-based,

13
00:00:26,970 --> 00:00:29,520
and they can be virtual or physical devices.

14
00:00:29,520 --> 00:00:32,610
They can also be on the host or they can be on the network,

15
00:00:32,610 --> 00:00:34,140
depending on if they're a host-based firewall

16
00:00:34,140 --> 00:00:35,820
or a network-based firewall.

17
00:00:35,820 --> 00:00:38,040
It really depends on your implementation,

18
00:00:38,040 --> 00:00:41,010
but they're all going to work in pretty much the same way.

19
00:00:41,010 --> 00:00:42,780
The other thing that a firewall can do for you,

20
00:00:42,780 --> 00:00:44,400
especially a physical one that's sitting

21
00:00:44,400 --> 00:00:45,720
at the edge of your network,

22
00:00:45,720 --> 00:00:49,170
is to perform your network address translation, or your NAT,

23
00:00:49,170 --> 00:00:51,810
or if you're using port address translation, PAT,

24
00:00:51,810 --> 00:00:53,490
it can do that for you, too.

25
00:00:53,490 --> 00:00:56,100
Now, that way you can use one public IP

26
00:00:56,100 --> 00:00:58,140
and many private IPs.

27
00:00:58,140 --> 00:00:59,724
The first type of firewall we're going to talk about

28
00:00:59,724 --> 00:01:02,580
is called a packet-filtering firewall.

29
00:01:02,580 --> 00:01:04,890
These packet-filtering firewalls are going to permit

30
00:01:04,890 --> 00:01:07,650
or deny traffic based on a packet's header,

31
00:01:07,650 --> 00:01:09,750
so they have to access that packet

32
00:01:09,750 --> 00:01:10,830
and they have to look at the header

33
00:01:10,830 --> 00:01:12,900
and look for the source or destination IP

34
00:01:12,900 --> 00:01:14,910
and the source or destination port.

35
00:01:14,910 --> 00:01:17,340
It's then going to look at each of those packets individually

36
00:01:17,340 --> 00:01:20,250
and make decisions whether to permit them or deny them

37
00:01:20,250 --> 00:01:23,460
based on its access control list inside the firewall.

38
00:01:23,460 --> 00:01:26,250
So here on the screen, I have an access control list,

39
00:01:26,250 --> 00:01:30,300
and this access control list has "100 deny ip any".

40
00:01:30,300 --> 00:01:31,890
Now, what does that mean?

41
00:01:31,890 --> 00:01:34,440
It means that any IP that is going to be denied

42
00:01:34,440 --> 00:01:35,880
if it meets these rules.

43
00:01:35,880 --> 00:01:38,850
100 is the line number, deny is the action,

44
00:01:38,850 --> 00:01:40,440
IP is the protocol,

45
00:01:40,440 --> 00:01:43,170
any is the action against which it's going to take.

46
00:01:43,170 --> 00:01:46,770
So in this case, we have an interface, Fa 1/0,

47
00:01:46,770 --> 00:01:50,610
IP group 100 in, and what's that saying

48
00:01:50,610 --> 00:01:53,730
is we're going to apply this to any incoming traffic.

49
00:01:53,730 --> 00:01:55,200
Now, in the case of this one,

50
00:01:55,200 --> 00:01:57,210
if we have traffic coming in from the internet,

51
00:01:57,210 --> 00:02:00,210
like an HTTP reply, then it's going to get blocked,

52
00:02:00,210 --> 00:02:01,710
because nothing is allowed in

53
00:02:01,710 --> 00:02:04,170
because we have a deny any statement here.

54
00:02:04,170 --> 00:02:05,910
Even though the request was able to go out,

55
00:02:05,910 --> 00:02:08,699
because that's outbound, anything coming back in

56
00:02:08,699 --> 00:02:09,660
is going to be blocked,

57
00:02:09,660 --> 00:02:11,940
because we have an inbound deny rule.

58
00:02:11,940 --> 00:02:14,610
That's the bad thing about packet-filtering firewalls.

59
00:02:14,610 --> 00:02:16,710
They work just based on the rulesets,

60
00:02:16,710 --> 00:02:18,677
and so if I have a allow any going out,

61
00:02:18,677 --> 00:02:20,730
but I have a deny any coming in,

62
00:02:20,730 --> 00:02:22,710
nothing's really going to work for us.

63
00:02:22,710 --> 00:02:25,320
Now, this is because they're all based off the ACL,

64
00:02:25,320 --> 00:02:27,960
and they're only based on the port or IP addresses.

65
00:02:27,960 --> 00:02:31,260
In this case, we've blocked any port on any IP

66
00:02:31,260 --> 00:02:33,390
that's trying to make its way into our networks.

67
00:02:33,390 --> 00:02:35,550
That wouldn't make it for a very effective firewall

68
00:02:35,550 --> 00:02:37,110
if we wanted be able to enable any kind

69
00:02:37,110 --> 00:02:38,760
of two-way communications.

70
00:02:38,760 --> 00:02:40,530
Now, the second type of firewall we have

71
00:02:40,530 --> 00:02:42,600
is what's called a stateful firewall,

72
00:02:42,600 --> 00:02:45,360
and they're going to inspect your traffic as part of a session.

73
00:02:45,360 --> 00:02:47,700
So let's take the example here on the screen.

74
00:02:47,700 --> 00:02:51,000
I'm sitting at PC one, and I make an SSH connection

75
00:02:51,000 --> 00:02:52,620
out to the server on the internet.

76
00:02:52,620 --> 00:02:54,630
That is session one.

77
00:02:54,630 --> 00:02:58,170
Now, the server can then reply to me with that SSH traffic,

78
00:02:58,170 --> 00:03:00,210
and the firewall's going to let it in.

79
00:03:00,210 --> 00:03:03,840
Why? Because I opened the firewall by making the request.

80
00:03:03,840 --> 00:03:06,810
I put the request out, it now expects a reply to come back,

81
00:03:06,810 --> 00:03:08,520
and it's going to forward that to me.

82
00:03:08,520 --> 00:03:10,568
But if a second SSH server tried to come back

83
00:03:10,568 --> 00:03:12,600
and create its own session,

84
00:03:12,600 --> 00:03:14,700
the firewall is going to deny it.

85
00:03:14,700 --> 00:03:17,400
That's because this firewall can keep track of the fact

86
00:03:17,400 --> 00:03:18,990
that I made the initial request,

87
00:03:18,990 --> 00:03:21,540
and I'm only going to get an answer to my request.

88
00:03:21,540 --> 00:03:23,790
Anything else is going to be blocked.

89
00:03:23,790 --> 00:03:25,340
Now, you can see how this is a lot more beneficial

90
00:03:25,340 --> 00:03:27,630
than a packet-filtering firewall,

91
00:03:27,630 --> 00:03:29,130
because it's going to go ahead

92
00:03:29,130 --> 00:03:30,750
and not just let anything in or out,

93
00:03:30,750 --> 00:03:32,940
but it's going to keep track of what's been requested

94
00:03:32,940 --> 00:03:34,650
and only let those things in.

95
00:03:34,650 --> 00:03:36,000
With a packet-filtering firewall,

96
00:03:36,000 --> 00:03:38,130
I would've had to let everything in for SSH

97
00:03:38,130 --> 00:03:39,120
or everything out.

98
00:03:39,120 --> 00:03:40,620
It's either all or nothing.

99
00:03:40,620 --> 00:03:43,620
But in this case, we can keep track of these sessions

100
00:03:43,620 --> 00:03:44,961
and get a much more specific granularity

101
00:03:44,961 --> 00:03:47,250
of what's going to be going on here

102
00:03:47,250 --> 00:03:49,140
and what's going to be allowed and denied.

103
00:03:49,140 --> 00:03:50,310
This is what people are using

104
00:03:50,310 --> 00:03:51,840
when they're doing a phishing attack

105
00:03:51,840 --> 00:03:54,720
to exploit your networks, because they know that most people

106
00:03:54,720 --> 00:03:56,730
are using session-based firewalls,

107
00:03:56,730 --> 00:03:59,520
and so if I can send you an email and you click that link,

108
00:03:59,520 --> 00:04:01,920
what you just did was request a session,

109
00:04:01,920 --> 00:04:04,530
and that firewall is going to then open up the port

110
00:04:04,530 --> 00:04:05,460
as letting that out

111
00:04:05,460 --> 00:04:07,890
and let the reply back into your network,

112
00:04:07,890 --> 00:04:09,480
and that's why they're trying to do that.

113
00:04:09,480 --> 00:04:12,180
That is the bad thing about a stateful firewall.

114
00:04:12,180 --> 00:04:14,460
If you have users who are doing the wrong things,

115
00:04:14,460 --> 00:04:16,440
the firewall is going to let them through

116
00:04:16,440 --> 00:04:18,089
because they're making those requests,

117
00:04:18,089 --> 00:04:19,290
and since they requested it,

118
00:04:19,290 --> 00:04:21,450
it's going to let the bad stuff come back in.

119
00:04:21,450 --> 00:04:22,826
Now, we can combine the ACLs

120
00:04:22,826 --> 00:04:24,600
and the permit and deny statements

121
00:04:24,600 --> 00:04:26,310
of packet-filtering firewalls

122
00:04:26,310 --> 00:04:28,470
with a stateful firewalls capabilities,

123
00:04:28,470 --> 00:04:30,840
and this can give us a really good security device,

124
00:04:30,840 --> 00:04:33,221
and most modern firewalls will support both of those things,

125
00:04:33,221 --> 00:04:35,520
and that's how they're going to work.

126
00:04:35,520 --> 00:04:37,080
The next type of firewall we have

127
00:04:37,080 --> 00:04:40,650
is known as a next-generation or next-gen firewall.

128
00:04:40,650 --> 00:04:43,770
These are also abbreviated as NGFW.

129
00:04:43,770 --> 00:04:46,620
Unlike stateful and stateless packet-filtering firewalls

130
00:04:46,620 --> 00:04:48,720
that operate at layer four and below,

131
00:04:48,720 --> 00:04:51,060
these third-generation firewalls can conduct

132
00:04:51,060 --> 00:04:54,300
what's known as deep packet inspection, or DPI.

133
00:04:54,300 --> 00:04:57,180
This allows them to do full-on packet filtering.

134
00:04:57,180 --> 00:04:58,832
They're going to operate in layers five, six,

135
00:04:58,832 --> 00:05:01,110
and seven of the OSI model,

136
00:05:01,110 --> 00:05:03,090
where they can get really in-depth information

137
00:05:03,090 --> 00:05:04,704
and understand what those packets contain

138
00:05:04,704 --> 00:05:07,230
and whether it's bad for our networks or not.

139
00:05:07,230 --> 00:05:08,670
Now, these can also be referred to

140
00:05:08,670 --> 00:05:10,320
as a web application firewall

141
00:05:10,320 --> 00:05:12,240
if they're specific to a web server,

142
00:05:12,240 --> 00:05:15,840
or more generally, they're just called next-gen firewalls.

143
00:05:15,840 --> 00:05:17,520
If they're for your entire network,

144
00:05:17,520 --> 00:05:19,170
they're going to be a great use to you,

145
00:05:19,170 --> 00:05:21,390
because they're going to inspect all of the web traffic

146
00:05:21,390 --> 00:05:23,400
coming in and out and really understand

147
00:05:23,400 --> 00:05:25,590
what is going in and out of your network.

148
00:05:25,590 --> 00:05:28,620
Then, they can dig in and choose to whether allow it

149
00:05:28,620 --> 00:05:31,890
or deny it based on specific rulesets that you give it.

150
00:05:31,890 --> 00:05:34,440
When we talk about ACLs or access control lists,

151
00:05:34,440 --> 00:05:36,030
what exactly are they?

152
00:05:36,030 --> 00:05:37,609
Well, an ACL is simply a set of rules

153
00:05:37,609 --> 00:05:39,860
that are typically assigned to a router interface

154
00:05:39,860 --> 00:05:43,650
or a firewall, and it's going to permit or deny certain traffic

155
00:05:43,650 --> 00:05:46,590
based on its IP address, its MAC address, or its port,

156
00:05:46,590 --> 00:05:48,390
depending on what device you're dealing with.

157
00:05:48,390 --> 00:05:49,530
If you're dealing with a switch,

158
00:05:49,530 --> 00:05:51,390
it's going to be based off your MAC address.

159
00:05:51,390 --> 00:05:52,410
If you're dealing with a router,

160
00:05:52,410 --> 00:05:54,360
it's usually based off your IP address.

161
00:05:54,360 --> 00:05:55,470
If you're dealing with a firewall,

162
00:05:55,470 --> 00:05:58,200
it's going to be based off your IP address or your port.

163
00:05:58,200 --> 00:06:01,080
Now, the ACLs are going to do this based on your source IP,

164
00:06:01,080 --> 00:06:03,450
your destination IP, your source port,

165
00:06:03,450 --> 00:06:05,520
your destination port, your source MAC,

166
00:06:05,520 --> 00:06:07,080
or your destination MAC.

167
00:06:07,080 --> 00:06:08,760
Now, you can choose any or all of these

168
00:06:08,760 --> 00:06:11,520
to be the criteria you want based on your ruleset.

169
00:06:11,520 --> 00:06:13,440
So here's an example on the screen.

170
00:06:13,440 --> 00:06:15,990
I have three different access control list entries.

171
00:06:15,990 --> 00:06:16,950
I have the first one,

172
00:06:16,950 --> 00:06:19,890
which is going to permit or deny the first column.

173
00:06:19,890 --> 00:06:21,021
Now, the protocol you're using,

174
00:06:21,021 --> 00:06:24,270
whether it's TCP or UDP, is our second thing,

175
00:06:24,270 --> 00:06:26,700
and the next column we have is our source IP,

176
00:06:26,700 --> 00:06:30,150
and this can signify any or a specific IP that we want

177
00:06:30,150 --> 00:06:31,530
or a range of IPs.

178
00:06:31,530 --> 00:06:32,970
Then we have a destination IP,

179
00:06:32,970 --> 00:06:36,330
and again, this can be any IP, a specific client,

180
00:06:36,330 --> 00:06:39,030
or an entire range, depending on what you want.

181
00:06:39,030 --> 00:06:40,800
Then we have our destination port,

182
00:06:40,800 --> 00:06:43,977
and then we have things like WWW for port 80,

183
00:06:43,977 --> 00:06:47,100
SSH for port 22, telnet for port 23.

184
00:06:47,100 --> 00:06:48,510
You're getting the idea here, right?

185
00:06:48,510 --> 00:06:50,580
We're going to be able to decide what we're going to allow

186
00:06:50,580 --> 00:06:51,990
and what we're going to deny.

187
00:06:51,990 --> 00:06:55,950
So in our case, we have this group on serial interface 1/0

188
00:06:55,950 --> 00:06:58,320
that's going to be allowed on the inbound direction.

189
00:06:58,320 --> 00:06:59,580
We're going to apply these rules,

190
00:06:59,580 --> 00:07:02,670
which are going to permit port 80 web traffic to come in.

191
00:07:02,670 --> 00:07:06,660
It's also going to permit SSH or port 22 to come in as well,

192
00:07:06,660 --> 00:07:09,660
but it's going to deny port 23, or telnet traffic,

193
00:07:09,660 --> 00:07:10,920
from coming in.

194
00:07:10,920 --> 00:07:13,230
Now, this is the way you can deal with ACLs.

195
00:07:13,230 --> 00:07:16,050
For your Network+ exam, you should be able to read an ACL

196
00:07:16,050 --> 00:07:17,790
just like I did here on the screen,

197
00:07:17,790 --> 00:07:20,070
but you don't need to come up with it by yourself

198
00:07:20,070 --> 00:07:23,010
for the exam and be able to create your own ACLs.

199
00:07:23,010 --> 00:07:24,900
Now, the last type of device I want to mention here

200
00:07:24,900 --> 00:07:28,440
is called a UTM, or a unified threat management system.

201
00:07:28,440 --> 00:07:30,330
Now, these have been gaining a lot of popularity

202
00:07:30,330 --> 00:07:32,310
in recent years, and this is a device

203
00:07:32,310 --> 00:07:34,650
that's going to combine your firewall, your router,

204
00:07:34,650 --> 00:07:37,170
intrusion detection and intrusion prevention system,

205
00:07:37,170 --> 00:07:38,820
any malware solutions you have,

206
00:07:38,820 --> 00:07:41,550
and other security devices all into a single device

207
00:07:41,550 --> 00:07:43,080
that's placed on your network.

208
00:07:43,080 --> 00:07:45,270
This is generally considered a border device,

209
00:07:45,270 --> 00:07:48,630
and it really is a next-generation next-generation firewall.

210
00:07:48,630 --> 00:07:50,760
Now, there's an agent that's running your internal clients,

211
00:07:50,760 --> 00:07:52,740
and they can be queried by the UTM

212
00:07:52,740 --> 00:07:54,900
before allowing any connection to the network.

213
00:07:54,900 --> 00:07:57,870
They can also serve with a NAC, or a network authentication

214
00:07:57,870 --> 00:07:59,520
and network authorization function,

215
00:07:59,520 --> 00:08:02,670
prior to allowing any new devices onto your network as well.

216
00:08:02,670 --> 00:08:04,494
Now, these unified threat managers can be purchased

217
00:08:04,494 --> 00:08:07,200
as a physical device to be installed in your networks

218
00:08:07,200 --> 00:08:08,850
or they could be a virtualized device,

219
00:08:08,850 --> 00:08:12,210
and there's even cloud solutions out there with UTMs, too.

220
00:08:12,210 --> 00:08:13,590
If you're using a cloud solution,

221
00:08:13,590 --> 00:08:14,850
you'll just route all your traffic

222
00:08:14,850 --> 00:08:16,290
to this cloud service provider,

223
00:08:16,290 --> 00:08:18,090
and they'll do all the security for you,

224
00:08:18,090 --> 00:08:20,730
and then they route your traffic out to the internet.

225
00:08:20,730 --> 00:08:23,940
Because of this, UTMs are really expanding in popularity,

226
00:08:23,940 --> 00:08:25,860
and you're going to see them more and more in networks

227
00:08:25,860 --> 00:08:28,980
because they have these always-on, always-updated signatures

228
00:08:28,980 --> 00:08:30,450
with the latest threat information

229
00:08:30,450 --> 00:08:31,890
and the latest threat intelligence

230
00:08:31,890 --> 00:08:34,289
that provides you additional security for your networks,

231
00:08:34,289 --> 00:08:36,993
more so than a firewall alone could do for you.