WEBVTT

00:00.000 --> 00:01.424
>> When we think
about firewalls,

00:01.424 --> 00:03.450
the first thing we should
think about is security.

00:03.450 --> 00:06.225
I think that's probably
true for most folks.

00:06.225 --> 00:07.920
What we want to think about

00:07.920 --> 00:09.960
firewalls is their
purpose is to isolate

00:09.960 --> 00:11.460
the network or to divide

00:11.460 --> 00:14.055
the network into
different security zones.

00:14.055 --> 00:16.095
We talk about security zones.

00:16.095 --> 00:18.180
The idea should be
based on trust.

00:18.180 --> 00:20.820
For instance, our
local area network,

00:20.820 --> 00:23.144
our internal network, our LAN,

00:23.144 --> 00:24.915
that's our most trusted network.

00:24.915 --> 00:27.735
I can troll the systems
that are in the LAN.

00:27.735 --> 00:29.639
I create the security policy,

00:29.639 --> 00:31.665
I provide the
authentication rules,

00:31.665 --> 00:32.870
that's my network,

00:32.870 --> 00:34.435
so I trust my network.

00:34.435 --> 00:37.600
Now, the ultimate and entrusted
would be the Internet.

00:37.600 --> 00:40.025
Of course, in the middle,

00:40.025 --> 00:42.500
many organizations have
what's referred to as

00:42.500 --> 00:45.400
a DMZ, a demilitarized zone.

00:45.400 --> 00:47.630
That DMZ is usually
considered to be

00:47.630 --> 00:49.520
semi-trusted because even though

00:49.520 --> 00:51.440
it's under my ownership
and management,

00:51.440 --> 00:53.210
I'm going to allow
the general public

00:53.210 --> 00:54.800
to access the network.

00:54.800 --> 00:56.960
That's my servers
that I want to be

00:56.960 --> 00:59.150
publicly available
are going to go.

00:59.150 --> 01:01.445
For instance, my webserver.

01:01.445 --> 01:02.810
I want the public to come to

01:02.810 --> 01:05.360
my webserver because
I want their money.

01:05.360 --> 01:07.910
Come visit my site,
come spend your money.

01:07.910 --> 01:09.410
When we talk about isolating

01:09.410 --> 01:10.715
these networks from each other,

01:10.715 --> 01:13.100
we're going to use
firewall to do so.

01:13.100 --> 01:14.960
That firewall is going to filter

01:14.960 --> 01:16.965
traffic based on a ruleset.

01:16.965 --> 01:19.940
We talk about that as
rule-based access control

01:19.940 --> 01:21.470
to determine what traffic should

01:21.470 --> 01:23.825
be allowed between networks.

01:23.825 --> 01:26.210
This is just a
little illustration

01:26.210 --> 01:28.114
>> of a DMZ conceptually,

01:28.114 --> 01:30.680
>> we have the
untrusted Internet goes

01:30.680 --> 01:33.230
through an external
firewall into the DMZ,

01:33.230 --> 01:35.180
then we go through
an internal firewall

01:35.180 --> 01:37.235
to access the trusted LAN.

01:37.235 --> 01:38.600
This is why it's sometimes

01:38.600 --> 01:40.460
referred to as a
screened subnet.

01:40.460 --> 01:42.290
Is often because the DMZ is

01:42.290 --> 01:44.375
between two screening devices.

01:44.375 --> 01:47.150
Even if you don't have
devices in the DMZ,

01:47.150 --> 01:49.130
sometimes it's still
set up to provide

01:49.130 --> 01:52.550
a buffer between the Internet
and the trusted LAN.

01:52.550 --> 01:55.955
The servers that you have
in your DMZ like I said,

01:55.955 --> 01:58.045
you're likely to have
the webserver there.

01:58.045 --> 02:00.320
Because your web
server is in the DMZ,

02:00.320 --> 02:03.290
you're going to have a web
application firewall there.

02:03.290 --> 02:05.450
You always put your firewalls
that are specific for

02:05.450 --> 02:08.435
applications beside the device
that they're protecting.

02:08.435 --> 02:11.705
Web application firewall
protects a web server.

02:11.705 --> 02:14.105
Those both would
go and near DMZ.

02:14.105 --> 02:15.980
You could also have a honeyport,

02:15.980 --> 02:18.845
which is a decoded
distract attackers.

02:18.845 --> 02:21.590
You might have an
intrusion detection system

02:21.590 --> 02:24.620
and they're to analyze
for malicious activities.

02:24.620 --> 02:26.540
You're going to have
several different

02:26.540 --> 02:28.045
devices in your DMZ.

02:28.045 --> 02:30.260
All these devices
should be hardened.

02:30.260 --> 02:32.060
When we talk about
those servers that are

02:32.060 --> 02:34.715
Internet-facing and the
fact that they're hardened,

02:34.715 --> 02:37.370
we refer to those
as bastion hosts.

02:37.370 --> 02:39.070
We want to make sure that
they're locked down.

02:39.070 --> 02:40.910
They don't have any
extra services or

02:40.910 --> 02:44.210
devices or any extra ports open.

02:44.210 --> 02:47.720
We want those to be hardened
as much as possible.

02:47.720 --> 02:50.660
Again, firewalls are designed to

02:50.660 --> 02:53.015
provide filtering
between zones of trust.

02:53.015 --> 02:55.910
Firewalls can either be
software or hardware-based.

02:55.910 --> 02:57.770
That's always a strange idea

02:57.770 --> 02:59.975
because software is no
good without hardware,

02:59.975 --> 03:01.160
and hardware is no good

03:01.160 --> 03:03.284
>> without software
but the idea is,

03:03.284 --> 03:04.730
>> I can buy a software product

03:04.730 --> 03:06.620
>> like pfSense and the name of

03:06.620 --> 03:08.615
>> LAN and install it
on a Linux machine

03:08.615 --> 03:10.970
and turn that Linux
machine into a firewall.

03:10.970 --> 03:13.210
It makes it a firewall
as a software,

03:13.210 --> 03:14.930
or I can go out and I can buy

03:14.930 --> 03:17.074
>> an ASA firewall from Cisco.

03:17.074 --> 03:19.355
>> That box is nothing
about a firewall.

03:19.355 --> 03:21.500
Sometimes it's called
a client space.

03:21.500 --> 03:23.540
It might be called a
black-box firewall,

03:23.540 --> 03:24.920
but the idea is that the device

03:24.920 --> 03:26.645
is nothing but a firewall.

03:26.645 --> 03:28.805
That'll be hardware-based.

03:28.805 --> 03:30.245
As a general rule,

03:30.245 --> 03:31.820
you're going to get
better protection,

03:31.820 --> 03:34.475
better performance from your
hardware-based solutions.

03:34.475 --> 03:35.780
As a general rule,

03:35.780 --> 03:38.600
your software-based solutions
will be much cheaper.

03:38.600 --> 03:39.620
Really, it depends on what

03:39.620 --> 03:42.900
your priorities are
in this instance.

03:43.460 --> 03:46.670
Different firewalls operate
the different layers

03:46.670 --> 03:47.990
of the OSI model.

03:47.990 --> 03:50.375
You really have three
layers of firewalls.

03:50.375 --> 03:52.025
You have a layer three firewall,

03:52.025 --> 03:53.450
a layer five firewall,

03:53.450 --> 03:54.850
and a layer seven.

03:54.850 --> 03:57.080
Down at layer three,
the network layer,

03:57.080 --> 03:59.210
if you think about what
happens down at layer three,

03:59.210 --> 04:01.150
you have IP addressing.

04:01.150 --> 04:02.430
One of the things that

04:02.430 --> 04:04.254
>> layer three firewall
can inspect for,

04:04.254 --> 04:06.950
>> is source and
destination IP address.

04:06.950 --> 04:09.290
It can also pick just a
little bit into layer

04:09.290 --> 04:11.120
four headers and make decisions

04:11.120 --> 04:13.505
based on source and
destination port.

04:13.505 --> 04:15.994
That sounds like that's
pretty good inspection,

04:15.994 --> 04:18.275
but it's actually
very, very broad.

04:18.275 --> 04:20.875
It's almost too broad
to be really useful.

04:20.875 --> 04:22.325
Let's say, for instance,

04:22.325 --> 04:24.530
I'm concerned about SYN flood,

04:24.530 --> 04:27.440
which is an exploit
of the TCP protocol.

04:27.440 --> 04:31.010
A layer 3 firewall is really
just an all-or-nothing.

04:31.010 --> 04:33.605
I don't get to block
misbehaving TCP.

04:33.605 --> 04:36.725
I can block all the
TCP traffic or none.

04:36.725 --> 04:39.275
You can really see
that's really over cool.

04:39.275 --> 04:41.750
Especially because all
the network services

04:41.750 --> 04:44.150
and applications
need TCP to run.

04:44.150 --> 04:46.895
If you were to block
TCP at your firewall,

04:46.895 --> 04:49.580
you'd have almost no traffic
and all coming through.

04:49.580 --> 04:51.805
This doesn't get
really particular.

04:51.805 --> 04:54.530
I can just block
floods or just block

04:54.530 --> 04:57.430
SYN packets that don't
have an ACK or a SYN-ACK.

04:57.430 --> 04:59.920
I can't get into details here.

04:59.920 --> 05:02.750
Often these layer three
firewalls are really just

05:02.750 --> 05:05.960
routers with access control
lists configured on them.

05:05.960 --> 05:08.810
I can create very basic
access control lists

05:08.810 --> 05:10.940
on my router or turn them

05:10.940 --> 05:12.350
into what we referred to as

05:12.350 --> 05:13.370
a packet filtering

05:13.370 --> 05:16.404
>> or a static packet
filtering firewall.

05:16.404 --> 05:18.920
>> This is usually your
screening router that

05:18.920 --> 05:21.725
is the first of entry
into your network.

05:21.725 --> 05:24.275
These devices act
like a bouncer.

05:24.275 --> 05:25.550
Their job is to keep what's

05:25.550 --> 05:27.800
obviously riffraff
off your network.

05:27.800 --> 05:30.600
Traffic coming through port 161,

05:30.600 --> 05:33.785
nope, we're not allowing
SNMP traffic coming through.

05:33.785 --> 05:35.430
Traffic on port 53,

05:35.430 --> 05:37.290
nope, we don't have a DNS.

05:37.290 --> 05:39.675
Malformed packet,
get out of here.

05:39.675 --> 05:42.125
At layer three, what
you give is very basic,

05:42.125 --> 05:43.640
very much all or nothing packet

05:43.640 --> 05:46.005
filtering. It has its place.

05:46.005 --> 05:48.530
You don't want every single
type of traffic directed at

05:48.530 --> 05:51.475
your network to go through
deep packet inspection.

05:51.475 --> 05:53.990
What you get down at
layer three is you get

05:53.990 --> 05:57.270
fast but very broad
packet filtering.

05:57.730 --> 06:00.200
As we go up the OSI model,

06:00.200 --> 06:02.345
we get a little bit
more understanding.

06:02.345 --> 06:03.920
We get a little bit
more knowledgeable

06:03.920 --> 06:05.530
with the layer 5 firewall.

06:05.530 --> 06:08.450
These are sometimes referred
to as stateful filtering.

06:08.450 --> 06:10.115
With stateful filters,

06:10.115 --> 06:12.920
those firewalls understand
the state of the connection.

06:12.920 --> 06:15.850
By that, I mean things like
who initiated the session.

06:15.850 --> 06:17.720
For instance, maybe I don't

06:17.720 --> 06:19.910
want traffic coming in
that wasn't solicited.

06:19.910 --> 06:21.800
If I send out a DNS query,

06:21.800 --> 06:23.180
then I want the DNS to reply

06:23.180 --> 06:24.620
to come through the firewall.

06:24.620 --> 06:26.660
But if there was no DNS query,

06:26.660 --> 06:28.115
I don't want a response.

06:28.115 --> 06:30.155
I don't want a reply
coming through.

06:30.155 --> 06:31.490
You don't get that degree of

06:31.490 --> 06:33.230
intelligence down
at layer three,

06:33.230 --> 06:34.550
you're just looking
at source and

06:34.550 --> 06:36.365
destination, IP and port.

06:36.365 --> 06:37.850
But at layer five,

06:37.850 --> 06:39.200
you can get information on who

06:39.200 --> 06:40.940
initiated the session and allow

06:40.940 --> 06:42.890
traffic back based
on the criteria.

06:42.890 --> 06:44.659
>> That's very helpful.

06:44.659 --> 06:47.299
>> Also, you generally
get an understanding

06:47.299 --> 06:49.700
of the lower-layer
protocols at layer five.

06:49.700 --> 06:52.160
You can look a little
bit of syntax and for

06:52.160 --> 06:55.070
protocols that aren't behaving
according to their RFC.

06:55.070 --> 06:58.680
Sometimes you can get that
understanding at layer five.

06:58.880 --> 07:02.645
Where you really get the
smarts is up at layer seven.

07:02.645 --> 07:04.910
These are application firewalls.

07:04.910 --> 07:07.295
They're sometimes
called proxy servers.

07:07.295 --> 07:09.755
You can hear them called
application firewalls,

07:09.755 --> 07:13.370
application proxies, but
they are at layer seven.

07:13.370 --> 07:14.990
These are the devices that give

07:14.990 --> 07:16.730
us deep packet inspection.

07:16.730 --> 07:18.080
They have understanding of

07:18.080 --> 07:19.970
the actual content
of the packet.

07:19.970 --> 07:22.660
If I want to block traffic
that has violent content,

07:22.660 --> 07:24.035
since salespeople after 5:00

07:24.035 --> 07:26.240
PM or between 8:00 and 5:00,

07:26.240 --> 07:28.370
I have a degree of
understanding and

07:28.370 --> 07:30.715
complexity at the
application layer.

07:30.715 --> 07:32.630
I get great deal of
control when I'm

07:32.630 --> 07:34.895
using application layer proxies.

07:34.895 --> 07:37.295
The thing about the
application proxy is

07:37.295 --> 07:40.760
each proxy is focused on
particular application.

07:40.760 --> 07:42.680
You have web proxies which are

07:42.680 --> 07:45.355
very comparable to web
application firewalls.

07:45.355 --> 07:47.370
They do pretty much
the same thing.

07:47.370 --> 07:51.595
They focus on HTTP
and HTTPS traffic.

07:51.595 --> 07:55.640
Anytime I'm concerned about
malformed HTTP headers or

07:55.640 --> 07:58.445
code injection or cross-site
scripting attacks

07:58.445 --> 08:00.590
that specifically
exploit a web server,

08:00.590 --> 08:02.330
then a web application firewall

08:02.330 --> 08:04.355
is going to be helpful for me.

08:04.355 --> 08:06.740
Again, because they're
up at layer seven

08:06.740 --> 08:08.090
>> of the OSI model I

08:08.090 --> 08:09.530
>> get a much greater
understanding of

08:09.530 --> 08:11.465
the data and all the headers,

08:11.465 --> 08:13.940
as well as integration
with Active Directory,

08:13.940 --> 08:15.800
time content, and
a deep knowledge

08:15.800 --> 08:18.560
of specific
application protocol.

08:18.560 --> 08:21.380
When we are talking
about proxies and we

08:21.380 --> 08:23.540
said they do this deep
packet inspection,

08:23.540 --> 08:25.400
I also want to mention
they have the both

08:25.400 --> 08:27.440
forward and reverse proxies.

08:27.440 --> 08:29.465
When we think about
a forward proxy,

08:29.465 --> 08:31.220
its job is to
inspect traffic from

08:31.220 --> 08:33.800
your internal network going
out into the Internet.

08:33.800 --> 08:35.420
From the inside out, and

08:35.420 --> 08:36.860
that's going to make
it so that way you can

08:36.860 --> 08:38.360
track and control what users

08:38.360 --> 08:40.475
do and view out on the Internet.

08:40.475 --> 08:42.560
There's also the reverse proxy,

08:42.560 --> 08:44.540
which is going to be
control what users

08:44.540 --> 08:46.955
from the Internet can
do in your environment.

08:46.955 --> 08:48.650
Again, you're going to have

08:48.650 --> 08:50.390
a DMZ where you have
your web server

08:50.390 --> 08:51.950
configured and the
whole purpose of

08:51.950 --> 08:55.280
that web server is going
to be share information.

08:55.280 --> 08:57.140
You're going to make folks from

08:57.140 --> 08:58.790
the Internet first send
their requests through

08:58.790 --> 09:01.985
your web proxy or your
web application firewall.

09:01.985 --> 09:05.490
That's going to be referred
to as a reverse proxy.