WEBVTT 00:04.039 --> 00:06.510 >> In wrapping up with firewalls, 00:06.510 --> 00:07.780 there are some best practices 00:07.780 --> 00:09.310 that we want to take to heart. 00:09.310 --> 00:10.900 One of the first things is to 00:10.900 --> 00:13.700 block unnecessary ICMP traffic. 00:13.700 --> 00:16.540 ICMP is very exploited protocol. 00:16.540 --> 00:19.150 It's the protocol behind ping entries for you, 00:19.150 --> 00:20.740 and really that is no business 00:20.740 --> 00:23.080 coming from outside your network to inside. 00:23.080 --> 00:25.045 It just is too vulnerable, 00:25.045 --> 00:26.980 so we block ICMP. 00:26.980 --> 00:31.240 Also, we keep our access control lists simple ACLS, 00:31.240 --> 00:32.530 when you're creating rules that they 00:32.530 --> 00:33.775 say block this traffic, 00:33.775 --> 00:34.930 allow this traffic, 00:34.930 --> 00:36.730 you can get very confused the more that you 00:36.730 --> 00:39.385 have with the way these can be priorities. 00:39.385 --> 00:42.400 You may wind up allowing access that you didn't intend, 00:42.400 --> 00:44.080 or blocking access that you didn't 00:44.080 --> 00:46.610 intend. Keep the list simple. 00:46.610 --> 00:49.565 Firewall should have an implicit deny meaning, 00:49.565 --> 00:51.530 unless I explicitly grant 00:51.530 --> 00:54.185 access then that access should be denied. 00:54.185 --> 00:56.695 Block directed IP broadcasts. 00:56.695 --> 00:58.220 Don't allow someone outside your 00:58.220 --> 00:59.749 >> network to broadcast in. 00:59.749 --> 01:01.610 >> That's a directed broadcast. 01:01.610 --> 01:05.165 Next suggestion, perform ingress and egress filtering. 01:05.165 --> 01:07.040 I don't just care with coming in. 01:07.040 --> 01:08.375 I care what's going on. 01:08.375 --> 01:10.220 If I'm seeing certain types of traffic 01:10.220 --> 01:11.885 going out, like for instance, 01:11.885 --> 01:13.580 a public IP address coming from 01:13.580 --> 01:16.750 my internal network that tells me something's going on. 01:16.750 --> 01:18.680 That may be an indication that one of 01:18.680 --> 01:20.855 my internal clients has a malware and is 01:20.855 --> 01:22.580 perhaps being used as a zombie to 01:22.580 --> 01:25.900 launch a downstream denial of service attack. 01:25.900 --> 01:28.140 We watch traffic coming in and out. 01:28.140 --> 01:30.565 We enable logging honored firewalls. 01:30.565 --> 01:32.690 We also make sure that fragmented packets 01:32.690 --> 01:33.800 don't come through. 01:33.800 --> 01:35.270 Those could cause damage 01:35.270 --> 01:37.535 or if it's possible to reassemble them, 01:37.535 --> 01:39.220 and that's a possible option. 01:39.220 --> 01:40.880 Ultimately, just keeping a 01:40.880 --> 01:42.500 secure by default environment with 01:42.500 --> 01:43.850 our firewalls will go 01:43.850 --> 01:47.370 a long way towards protecting our organization. 01:48.340 --> 01:50.900 Just a little review here with our 01:50.900 --> 01:52.374 >> access control lists. 01:52.374 --> 01:54.200 >> We've already talked about the significance 01:54.200 --> 01:55.895 of our access control lists. 01:55.895 --> 01:58.505 You can have these on routers and on firewalls, 01:58.505 --> 02:00.650 but this is how we create the rural set. 02:00.650 --> 02:02.510 Here we have an illustration. 02:02.510 --> 02:04.190 You've got various servers. 02:04.190 --> 02:06.500 You see their IP addresses underneath. 02:06.500 --> 02:08.555 We've talked about access control lists, 02:08.555 --> 02:10.550 and this is how you build a rules to block 02:10.550 --> 02:12.950 or allow traffic coming through. 02:12.950 --> 02:15.530 But let's take a look at how you would configure them. 02:15.530 --> 02:18.290 We have a series of tasks here. 02:18.290 --> 02:21.485 First, we want to allow the accounting computers 02:21.485 --> 02:24.780 to have HTTP access only to administrative Server 1. 02:24.780 --> 02:27.005 When we're creating our firewall rules, 02:27.005 --> 02:28.655 we want to look at source computer, 02:28.655 --> 02:30.185 the destination computer, 02:30.185 --> 02:32.470 and then we have to think about the port number. 02:32.470 --> 02:35.085 Remember, we have an implicit deny. 02:35.085 --> 02:37.395 All traffic is denied by default. 02:37.395 --> 02:40.190 We have to create lists for what we're going to allow. 02:40.190 --> 02:42.365 What we're going to see is the source address 02:42.365 --> 02:47.735 10.18.255.10 with the mask of 24 bits. 02:47.735 --> 02:49.805 This is the accounting computer, 02:49.805 --> 02:52.190 are going towards the destination computer, 02:52.190 --> 02:54.350 which should be the administrative Server 1. 02:54.350 --> 02:56.285 It is port 443, 02:56.285 --> 02:58.880 because all we're allowing a secure web traffic 02:58.880 --> 03:01.990 and that's a TCP port and we'll have to allow it. 03:01.990 --> 03:03.565 Essentially, what happens, 03:03.565 --> 03:05.480 is for each one of these tasks we'll 03:05.480 --> 03:07.670 have to configure a portion of the firewall. 03:07.670 --> 03:09.500 A lot of times this shows up on 03:09.500 --> 03:12.325 the exam as a setup drop-down errors. 03:12.325 --> 03:14.330 Our next task is to allow 03:14.330 --> 03:18.110 the HR computer to communicate with Server 2 over SCP, 03:18.110 --> 03:21.065 and SCP uses the port number 22. 03:21.065 --> 03:24.310 You can see the second rule provides that access. 03:24.310 --> 03:26.960 The third is to allow the IT computer to have 03:26.960 --> 03:29.765 access to the administrator Server 1 and 2. 03:29.765 --> 03:32.015 That's accomplished by creating two rules. 03:32.015 --> 03:33.560 We allow it to Server 1, 03:33.560 --> 03:35.180 we allowed to Server 2, and 03:35.180 --> 03:37.535 we've completed our list of tasks. 03:37.535 --> 03:39.200 This may be comparable to 03:39.200 --> 03:41.135 something that you would see on the exam. 03:41.135 --> 03:42.560 Just getting that flow for 03:42.560 --> 03:44.890 how firewalls work will be helpful. 03:44.890 --> 03:47.975 You'll see lots of these on the security plus exam. 03:47.975 --> 03:49.610 Once again, make sure you know 03:49.610 --> 03:51.455 your ports because without knowing them, 03:51.455 --> 03:52.640 you're not going to be able to 03:52.640 --> 03:55.050 >> complete these activities.