WEBVTT

00:00.550 --> 00:05.410
When it comes to security a good network firewall isn't a good idea.

00:05.410 --> 00:06.820
It's a necessity.

00:06.820 --> 00:10.180
So in this episode what I want to do is cover network firewalls.

00:10.180 --> 00:17.740
Now keep in mind the security Plez exam is not going to ask you what steps do you go through to configure

00:17.740 --> 00:19.190
a Cisco firewall.

00:19.240 --> 00:24.960
But it is going to ask you conceptual questions on what are some of the big things we do with firewalls.

00:25.060 --> 00:32.020
So to do that I've actually got myself a Netgear cable modem firewall here now it's it's considered

00:32.020 --> 00:37.270
a So-ho but it's actually a very high end router with a built in firewall.

00:37.400 --> 00:40.300
And I'm not even going to plug it into the Internet.

00:40.300 --> 00:42.890
We're just going to go ahead and set up the firewall on this.

00:43.030 --> 00:44.010
So it's graphical.

00:44.020 --> 00:46.650
But don't let the pretty graphics fool you.

00:46.660 --> 00:48.660
This is a powerful little system.

00:48.670 --> 00:54.160
So what I've got is I've got it plugged in and I've got a cable running into my desktop down here and

00:54.160 --> 00:57.700
here's my monitor keyboard and we're going to go ahead and configure this guy.

00:57.700 --> 01:03.400
So like most of these they come by default with a fixed IP address and this particular case it's 192

01:03.510 --> 01:09.820
168 0 1 which are even nice enough to document on the bottom of this with a built in username and password

01:09.820 --> 01:14.360
that I've already gone ahead and changed so to configure this particular guy.

01:14.500 --> 01:18.370
I'm just going to open up a web browser to one day to 160 0.1.

01:18.430 --> 01:19.570
I've already logged in.

01:19.570 --> 01:21.050
So let's see what we need to do.

01:21.990 --> 01:29.070
Now if you take a look it took me a while to find this but the settings for most of the firewalls are

01:29.070 --> 01:31.010
right here under security.

01:31.020 --> 01:36.090
We're also going to see that there's a few other settings in a little bit different place and we're

01:36.090 --> 01:37.930
going to talk about those in just a moment.

01:37.950 --> 01:43.740
The number one thing we need to talk about when we talk about firewalls are stateful versus stateless

01:43.740 --> 01:52.320
firewalls a stateless firewall will go ahead and filter it block stuff no matter what the situation.

01:52.350 --> 01:57.590
If I set up a firewall to always block port 197 I don't know what that is.

01:57.750 --> 02:00.920
That is an example of a stateless firewall.

02:00.930 --> 02:06.510
So all of these rules that we set up we can block based on IP address we can block based on words that

02:06.510 --> 02:09.780
are coming in or out of a particular connection.

02:09.900 --> 02:17.640
We can block on time of day so all of these types of blocks are going to be stateless firewall settings

02:18.000 --> 02:24.500
and we store all of this information into a database a file known as an access control list.

02:24.500 --> 02:30.330
Now access control this appear all over the world of I.T. security but they certainly show up in every

02:30.720 --> 02:32.460
firewall there is out there.

02:32.610 --> 02:38.550
Now also keep in mind as we go into this is that every one of these firewalls has a different screen.

02:38.700 --> 02:43.080
The information's always there but you're always having to poke around and figure out where the heck

02:43.080 --> 02:44.370
do I do one thing or another.

02:44.370 --> 02:49.310
So what we're going to do first of all we're going to set up some stateless settings in here.

02:49.380 --> 02:55.530
But then the other thing we're going to do is we're going to set up stateful settings a stateful firewall

02:55.710 --> 03:02.310
doesn't really have an access control list per se a stateful firewall looks at what's going on and then

03:02.310 --> 03:04.650
makes a decision on what it's going to do.

03:04.650 --> 03:11.100
For example if we start getting a lot of pings coming into this system it's going to go hey there is

03:11.160 --> 03:12.500
a lot of pings here.

03:12.540 --> 03:18.750
I'm going to start blocking pings or it will sit there and see that there's a bunch of commands requests

03:18.750 --> 03:22.830
coming in for a particular web page and they're malformed.

03:22.830 --> 03:26.450
So he'll sit there and go oh are we getting too many now packets.

03:26.670 --> 03:29.460
And he'll go ahead and start blocking this stuff.

03:29.460 --> 03:34.930
So a stateful firewall is a much more complicated tool than a stateless firewall.

03:35.010 --> 03:42.270
In most of these little SOHU routers they reduce it to little things like saying disable port scanning

03:42.270 --> 03:43.580
or something like that.

03:43.680 --> 03:48.750
And in that case what you're doing is actually turning on or off the stateful firewall you know what.

03:48.750 --> 03:49.370
That's good.

03:49.380 --> 03:50.440
I got to stateful stuff.

03:50.460 --> 03:51.510
Let's start with that.

03:53.750 --> 03:57.440
So if you take a look right here and by golly it was under way and setup.

03:57.440 --> 03:58.610
Who'd have thought.

03:58.610 --> 04:03.220
There's actually some settings on here for a stateful firewall.

04:03.230 --> 04:07.960
Number one it says disable IPV for fire wall protection.

04:08.120 --> 04:16.270
If I check this I'm in essence turning off the stateful firewall for that particular type of stuff.

04:16.300 --> 04:22.760
IP before you'll also notice that it has disable port scan and denial of service protection.

04:22.880 --> 04:27.530
If I check this I'm turning off that aspect of the stateful firewall.

04:27.650 --> 04:32.360
Now this one's actually kind of interesting because it actually has a very powerful stateful firewall

04:32.360 --> 04:32.790
built in.

04:32.810 --> 04:37.540
But it doesn't give you a lot of control because it pretty much turns it on and runs.

04:37.610 --> 04:42.620
But you'll see on a lot of firewalls it will say things like block ICMP.

04:42.620 --> 04:46.420
What they're doing there mainly is they don't want anybody to be able to ping you or things like that.

04:46.550 --> 04:53.900
So these are all good examples of stateful firewall so for the most part on almost all firewalls including

04:53.900 --> 04:57.170
some of the higher end ones you either just turn it on or turn it off.

04:58.300 --> 05:04.120
Now stateless is a different animal altogether stateless is going to be based on what your needs are

05:04.120 --> 05:05.500
for that particular network.

05:05.500 --> 05:08.140
So let's head over here and let's see what we can do.

05:09.730 --> 05:15.430
On this particular guy you'll see it says access control so it wants the password again no problem.

05:21.860 --> 05:24.130
So you'll see that right now it's turned off.

05:24.140 --> 05:31.070
I'm going to turn on access control and you'll see it says allow all new devices to connect or block

05:31.160 --> 05:33.320
all new devices from connecting.

05:33.320 --> 05:36.270
If I were to block all new devices from connecting.

05:36.320 --> 05:38.220
First of all nobody would get out.

05:38.600 --> 05:41.400
But what we're doing is what's known as an implicit deny.

05:41.410 --> 05:45.890
And we talk about implicit nine other episodes but it's a very different way in this particular case

05:45.890 --> 05:47.450
we're talking about a firewall.

05:47.480 --> 05:54.270
In essence nobody can do anything unless I'm on this screen and saying oh OK I'll let them through.

05:54.500 --> 06:01.310
So in this particular case I'm going to just leave it as allow all new devices to connect and then that

06:01.310 --> 06:07.010
way I can go ahead and start selectively making blocks I can block an IP address I can block on mac

06:07.010 --> 06:12.050
address and I could just keep adding onto this in fact if you take a look on the screen you'll see it's

06:12.050 --> 06:13.440
already got.

06:13.490 --> 06:15.740
This is my machine right here that I'm working on.

06:15.740 --> 06:20.570
And he's already got it in there so if I wanted to I could go ahead and block myself which would make

06:20.570 --> 06:29.320
for a very uninteresting episode or I could just leave it as it is and allow it access blocked sites.

06:29.400 --> 06:35.790
And in this particular case what it's talking about is I can type in anybody that I don't want you to

06:35.790 --> 06:37.050
be able to get to.

06:37.170 --> 06:41.610
I like everybody how about YouTube.

06:41.680 --> 06:48.620
So I want to I can just type this in and now no one is going to be able to get to YouTube.

06:48.620 --> 06:54.280
So that would be one example of the things I could block but it actually works pretty good.

06:54.350 --> 06:56.660
So let's make sure that's turned on there we go.

06:56.690 --> 07:04.550
So now that I've got it turned on and I could also type in any type of keyword as it sees information

07:04.550 --> 07:06.950
coming through it can actually block on that.

07:06.950 --> 07:13.310
Now keep in mind in this particular situation especially for web pages of it's a secure web page he's

07:13.310 --> 07:18.350
not going to be able to see any of that information so it doesn't do a whole lot of good in terms of

07:18.350 --> 07:19.970
being able to handle that.

07:20.030 --> 07:23.370
Also we can come down here and allow trusted IP addresses.

07:23.390 --> 07:28.020
So for example there are certain machines that I'm using for maintenance and management of this guy.

07:28.190 --> 07:30.400
I could type in that IP address.

07:30.560 --> 07:37.010
And despite what the blocks are that one machine or multiple machines will always be able to get through.

07:37.250 --> 07:41.400
Next is block services that movies talk about the idea of access control list.

07:41.420 --> 07:43.540
This is usually what people are talking about.

07:43.850 --> 07:51.110
So I'm going to turn on services blocking and let's block something so it has user defined.

07:51.120 --> 07:56.680
But if there's a particular service that you want to stop you can find it in here.

07:56.690 --> 07:59.880
So let's say I don't want anybody using FCP.

08:00.290 --> 08:07.750
So you'll see that it pre-sets itself for blocking ports 20 and 21.

08:07.790 --> 08:12.770
And that's really all we're doing here it's a convenient list to allow you to build an access control

08:12.770 --> 08:16.610
list without necessarily knowing exactly how that all works.

08:16.610 --> 08:24.560
But I like it so we'll leave it as it is and you'll see I can block anybody on my network I can block

08:24.560 --> 08:27.630
a range or I can block one particular person.

08:27.660 --> 08:35.030
So let's go ahead and add if t.p and you'll see I've got that added Now I can add lots more in fact.

08:35.030 --> 08:37.770
Access control is often have lots and lots of these.

08:37.820 --> 08:41.930
So we're going to do user defined this time a TCAP protocol.

08:41.990 --> 08:49.440
I want to stop people from using their steam servers not familiar with steam.

08:49.450 --> 08:50.590
You don't play online games.

08:50.590 --> 08:51.090
I do.

08:53.380 --> 08:58.120
So what I'm doing is I'm blocking a range of port numbers and I'm going to put steam in here.

09:00.220 --> 09:02.410
And again I can set it for everybody.

09:05.120 --> 09:08.310
So you'll see what I'm doing as I'm building up an Access Control List.

09:08.330 --> 09:12.460
This is pretty and it works well in a more enterprise type firewall.

09:12.470 --> 09:14.930
Access control is can be very very complicated.

09:14.930 --> 09:21.770
So let me show you a picture of an Access Control list for enterprise level Cisco router.

09:21.780 --> 09:27.340
Now this is my idea of a big hairy access control list.

09:27.480 --> 09:33.450
So while we may not be super familiar with what all this means you'll notice that it has port numbers

09:33.450 --> 09:34.300
in there.

09:34.440 --> 09:39.660
And you'll notice that IPs are in there so it's actually giving you the same information we're doing

09:39.660 --> 09:40.400
right here.

09:40.560 --> 09:45.930
But this is more of a robust set up and there's no pretty graphical front end for this guy.

09:46.050 --> 09:48.800
You're typing that stuff in manually.

09:48.930 --> 09:51.400
The last thing I want to show you on a firewall.

09:51.540 --> 09:53.630
The second the last thing is scheduling.

09:53.640 --> 10:00.060
So what I can do is I can set up different schedules to do different things like if I want to I can

10:00.060 --> 10:05.720
block anybody from playing any steam games from 9 to 5 but I like playing steam.

10:05.720 --> 10:11.040
So after work I want me and the folks to get together and let's play some Age of Empires or whatever

10:11.040 --> 10:11.750
it might be.

10:11.880 --> 10:18.360
So I can use scheduling tools that will allow me to tweak my Access Control list so that I can handle

10:18.420 --> 10:22.400
exactly when people are doing certain things or not doing certain things.

10:23.630 --> 10:30.370
And last here we go is email one of the problems that you have with firewalls is that you're not aware

10:30.370 --> 10:32.620
of what a firewall is doing now.

10:32.890 --> 10:35.400
All firewalls are going to have some kind of log in here.

10:35.410 --> 10:36.990
Let's see if I can find it on here.

10:39.260 --> 10:44.330
So they all have some form of log that is going to be keeping track of and you can set up these logs

10:44.330 --> 10:49.130
to do whatever you want and you'll see it's like a log in failures.

10:49.130 --> 10:51.730
People try to get in if it's passing out.

10:51.730 --> 10:56.720
DHC if you look at the clicks at the bottom you can actually set up what it's going to show or not show.

10:56.870 --> 11:02.750
And logs are great and they're important but the only way by default I can get to this log is by actually

11:02.750 --> 11:07.670
opening up this web page and going into the router itself.

11:07.670 --> 11:09.590
So usually when I'm going to prefer to do

11:15.580 --> 11:17.740
is I'm going to let the system email me.

11:18.120 --> 11:24.510
So I like to use these types of tools on these home routers they're very very popular and you can set

11:24.510 --> 11:30.630
up pretty much any firewall system to do things like sending text messages or depending on you can set

11:30.660 --> 11:36.240
levels of importance and say well if it's a level 1 importance then go ahead and text me.

11:36.270 --> 11:39.830
Otherwise if it's two through five just send me an e-mail at the end of the day.

11:40.080 --> 11:44.010
And these types of tools become very very important.

11:44.010 --> 11:44.250
All right.

11:44.250 --> 11:48.690
So this is just one type of firewall that you have out there.

11:48.750 --> 11:52.770
Make sure that you're comfortable with the idea of a stateful versus a stateless.

11:52.770 --> 11:58.170
Also keep in mind that what we're talking about firewalls there is another type of firewall that people

11:58.260 --> 12:01.820
often get confused with these type of network based firewalls.

12:01.980 --> 12:08.860
And that is an application based firewall an application based firewall is designed to protect an application.

12:09.030 --> 12:15.990
Probably one of the most famous types of applications that we firewall are web applications.

12:16.050 --> 12:23.100
And what I can do is set up a firewall in front of a web server that's actually protecting just the

12:23.100 --> 12:28.890
web server itself because there's so many unique attacks that they only go for that particular type

12:28.890 --> 12:29.710
of application.

12:29.700 --> 12:38.040
So a network firewall like this is designed to protect everybody in a network whereas an application

12:38.040 --> 12:42.990
based firewall is usually in front of a web server or something like that and is designed to protect

12:43.050 --> 12:54.160
just that application.