WEBVTT 0:00:02.260000 --> 0:00:07.800000 Hello and welcome to this video titled Personal Firewalls and Hips. 0:00:07.800000 --> 0:00:10.800000 Now we're not talking about the anatomical hips here, we're talking about 0:00:10.800000 --> 0:00:14.660000 something else. So in this video, I'm going to talk about the difference 0:00:14.660000 --> 0:00:18.480000 between network firewalls and personal firewalls and what are the objectives 0:00:18.480000 --> 0:00:20.460000 of personal firewalls. 0:00:20.460000 --> 0:00:21.340000 How would you use one? 0:00:21.340000 --> 0:00:23.120000 Why would you use one? 0:00:23.120000 --> 0:00:28.660000 How do they protect you and some particular use cases of personal firewalls? 0:00:28.660000 --> 0:00:31.520000 Well it's a simple way to use one of the tips which stands for Host Intrusion 0:00:31.520000 --> 0:00:36.620000 Protection Services or Solution or Software, depending on what acronym 0:00:36.620000 --> 0:00:40.680000 you're looking at, and some common hips rule sets. 0:00:40.680000 --> 0:00:46.840000 Alright, so let's start by defining what is a personal firewall. 0:00:46.840000 --> 0:00:51.860000 So there's a difference between network firewalls and personal firewalls. 0:00:51.860000 --> 0:00:55.720000 So a network firewall is typically implemented as a hardware appliance. 0:00:55.720000 --> 0:00:57.140000 What does that mean? 0:00:57.140000 --> 0:00:58.800000 That just means it's a hardware box. 0:00:58.800000 --> 0:01:03.920000 You can lift it up, you can plug an AC adapter into it, rack mounted into 0:01:03.920000 --> 0:01:07.140000 a rack. That's what we mean by a hardware appliance. 0:01:07.140000 --> 0:01:10.540000 And when we typically say a hardware appliance, we mean a physical box 0:01:10.540000 --> 0:01:15.480000 that was custom made to do a very specific task. 0:01:15.480000 --> 0:01:21.300000 Okay, so network firewalls are typically placed at network security boundaries, 0:01:21.300000 --> 0:01:25.120000 like at the outer edge of your network just before your network connects 0:01:25.120000 --> 0:01:29.660000 to your ISP, connects to your Internet service provider, or maybe in between 0:01:29.660000 --> 0:01:35.120000 to security boundaries like the corporate network and where it's connecting 0:01:35.120000 --> 0:01:40.260000 to an acquisitions network or a partnering network, something like that. 0:01:40.260000 --> 0:01:44.780000 So a network firewall is designed to protect traffic to and from entire 0:01:44.780000 --> 0:01:47.400000 networks or subnets. 0:01:47.400000 --> 0:01:48.720000 That's what it's really looking at. 0:01:48.720000 --> 0:01:53.500000 Now hopefully with your network firewall and other security mechanisms 0:01:53.500000 --> 0:01:58.220000 you have in place like a web security appliance or an email security appliance, 0:01:58.220000 --> 0:02:03.380000 hopefully no bad things will actually make it to the endpoint to your 0:02:03.380000 --> 0:02:05.880000 laptop or your PC or your server. 0:02:05.880000 --> 0:02:09.340000 But sometimes they do, and that would be a good use case where you might 0:02:09.340000 --> 0:02:10.920000 want to have a personal firewall. 0:02:10.920000 --> 0:02:16.480000 So a personal firewall is actually software on your laptop or PC that 0:02:16.480000 --> 0:02:18.740000 serves as like a firewall. 0:02:18.740000 --> 0:02:23.700000 So this often comes integrated into the operating system itself. 0:02:23.700000 --> 0:02:28.180000 Now you can certainly download other personal firewalls, either free versions 0:02:28.180000 --> 0:02:32.580000 or paid versions, but most operating systems like certainly Windows, Microsoft 0:02:32.580000 --> 0:02:37.960000 Windows has a personal firewall built into the Windows operating system. 0:02:37.960000 --> 0:02:43.340000 Now if you have pervasive and consistent use of a personal firewall across 0:02:43.340000 --> 0:02:48.380000 all of your hosts, this can constitute what's called a distributed firewall. 0:02:48.380000 --> 0:02:52.280000 So if every single host in my organization is running a personal firewall 0:02:52.280000 --> 0:02:56.740000 and they're all using the exact same rules, sets and policies and certainly 0:02:56.740000 --> 0:03:01.280000 if they're monitored and maintained by some central administrative system, 0:03:01.280000 --> 0:03:04.660000 we could call that a distributed firewall. 0:03:04.660000 --> 0:03:08.640000 And personal firewalls are good solutions for hosts that are mobile, and 0:03:08.640000 --> 0:03:11.440000 we'll talk a little bit about that here in just a second. 0:03:11.440000 --> 0:03:14.260000 So what are the main objectives of a personal firewall? 0:03:14.260000 --> 0:03:15.400000 Why would you use one? 0:03:15.400000 --> 0:03:20.080000 Well, number one, to block unauthorized access to your computer and to 0:03:20.080000 --> 0:03:25.700000 permit authorized data and communications to and from your computer. 0:03:25.700000 --> 0:03:29.220000 You know, if we think about how a regular firewall works, now you might 0:03:29.220000 --> 0:03:32.800000 not have any experience with an actual network firewall of physical appliance, 0:03:32.800000 --> 0:03:35.020000 but a real high level. 0:03:35.020000 --> 0:03:40.300000 So what they do is the first step in configuring a network firewall is 0:03:40.300000 --> 0:03:44.480000 it's got multiple physical interfaces that are cabled and some of those 0:03:44.480000 --> 0:03:48.980000 physical interfaces would lead to your inside network, your trusted network. 0:03:48.980000 --> 0:03:53.320000 Other interfaces would lead to other domains that are not quite as trusted. 0:03:53.320000 --> 0:03:55.760000 A lot of times we call those outside networks. 0:03:55.760000 --> 0:03:59.080000 And at a real high level, a lot of times the way firewalls are designed 0:03:59.080000 --> 0:04:03.440000 is that if traffic is coming in an interface that is considered a trusted 0:04:03.440000 --> 0:04:09.180000 or an inside interface, that traffic is allowed to go outside and then 0:04:09.180000 --> 0:04:11.660000 the reply traffic is allowed back. 0:04:11.660000 --> 0:04:16.000000 So the general idea is that, okay, if something is initiated on the inside, 0:04:16.000000 --> 0:04:18.780000 it can go out and then the reply can come back. 0:04:18.780000 --> 0:04:23.880000 But if something is initiated on the outside on the untrusted interface, 0:04:23.880000 --> 0:04:25.100000 that is not allowed. 0:04:25.100000 --> 0:04:28.780000 We are not allowing traffic to be initiated from the outside coming in. 0:04:28.780000 --> 0:04:32.060000 Only replies from the outside can come in. 0:04:32.060000 --> 0:04:35.280000 Well, a lot of times your personal firewall, it operates under the same 0:04:35.280000 --> 0:04:40.080000 sort of basic ruleset that if my laptop or PC initiates some connection 0:04:40.080000 --> 0:04:46.640000 to an outside website or an outside TFTP or FTP server, then the response 0:04:46.640000 --> 0:04:51.620000 can come back. But if some network traffic tries to gain entry into my 0:04:51.620000 --> 0:04:55.340000 laptop, the personal firewall will say, well, wait a second, this doesn't 0:04:55.340000 --> 0:04:58.020000 look like it's a reply in response to anything. 0:04:58.020000 --> 0:05:01.620000 This looks like it's a new incoming connection and the personal firewall 0:05:01.620000 --> 0:05:05.960000 will either drop that or it will warn me about that. 0:05:05.960000 --> 0:05:09.640000 So you can see here, the way the firewall actually accomplishes this is 0:05:09.640000 --> 0:05:14.400000 by working under some rules and exceptions to rules are all based on inbound 0:05:14.400000 --> 0:05:16.040000 and outbound traffic. 0:05:16.040000 --> 0:05:17.420000 Now rules are configurable. 0:05:17.420000 --> 0:05:19.780000 Now, certainly if this comes bundled with your operating system, there 0:05:19.780000 --> 0:05:22.860000 will be some default rules applied there. 0:05:22.860000 --> 0:05:25.860000 And the rules basically vary depending on the type of network you're connected 0:05:25.860000 --> 0:05:34.400000 to. Like you can see this right here. 0:05:34.400000 --> 0:05:38.040000 Or features of an app and I'll tell you, it'll give you a pop up window 0:05:38.040000 --> 0:05:42.900000 like this. But these firewalls, these personal firewalls, a lot of times 0:05:42.900000 --> 0:05:46.760000 what the way they will work is at the moment you connect to a new network, 0:05:46.760000 --> 0:05:50.440000 either a new Wi-Fi network or a new wired network. 0:05:50.440000 --> 0:05:52.920000 And it could just mean that you've moved, you've picked up your laptop 0:05:52.920000 --> 0:05:56.380000 and you've moved from one conference room to another conference room, 0:05:56.380000 --> 0:05:59.960000 or you've moved from one cube to another cube, either way you are connecting 0:05:59.960000 --> 0:06:01.880000 to a new network. 0:06:01.880000 --> 0:06:05.240000 Well, the personal firewall will want you to tell it what kind of a network 0:06:05.240000 --> 0:06:06.960000 is this? Is it a corporate network? 0:06:06.960000 --> 0:06:07.960000 Is it a public network? 0:06:07.960000 --> 0:06:08.540000 Is it a home network? 0:06:08.540000 --> 0:06:13.000000 You'll have to check a box saying, okay, this is this type of network. 0:06:13.000000 --> 0:06:15.840000 And then once you've told the personal firewall what kind of a network 0:06:15.840000 --> 0:06:21.060000 it is based on your selection, then a rule set will be implemented based 0:06:21.060000 --> 0:06:24.160000 on that network. 0:06:24.160000 --> 0:06:28.460000 So personal firewalls are really good for mobile hosts. 0:06:28.460000 --> 0:06:33.720000 For example, if you are mobile and you are in a coffee shop, does that 0:06:33.720000 --> 0:06:36.100000 coffee shop have a network firewall? 0:06:36.100000 --> 0:06:37.600000 Maybe, maybe not. 0:06:37.600000 --> 0:06:40.760000 But since you don't know, a personal firewall is a good way to give yourself 0:06:40.760000 --> 0:06:44.640000 safety because you don't know if an actual network firewall exists or 0:06:44.640000 --> 0:06:54.780000 not. So, I'm connected to a VPN back to my corporate office. 0:06:54.780000 --> 0:06:55.960000 Who knows where I am. 0:06:55.960000 --> 0:06:57.600000 Maybe I'm working at home. 0:06:57.600000 --> 0:07:01.000000 Maybe I'm working from a bookstore's coffee shop, whatever, but I've got 0:07:01.000000 --> 0:07:02.960000 a VPN going to the corporate office. 0:07:02.960000 --> 0:07:07.880000 Well, split tunnel would mean that when my laptop creates packets that 0:07:07.880000 --> 0:07:11.780000 are destined for the corporate network, like a file server in the corporate 0:07:11.780000 --> 0:07:14.500000 network, or maybe I'm doing instant messaging with somebody in the corporate 0:07:14.500000 --> 0:07:19.380000 network, that will go encrypted and over that secure VPN tunnel. 0:07:19.380000 --> 0:07:23.480000 But if I'm creating packets are just destined for the general internet, 0:07:23.480000 --> 0:07:27.540000 like I'm web browsing for a new car or looking up the current news or 0:07:27.540000 --> 0:07:31.420000 something, those will not go over the encrypted VPN tunnel. 0:07:31.420000 --> 0:07:34.560000 Those will just go to my internet service provider and go to the regular 0:07:34.560000 --> 0:07:37.540000 internet. So this is another good use case where you might want to have 0:07:37.540000 --> 0:07:41.900000 a personal firewall because the personal firewall will prevent malicious 0:07:41.900000 --> 0:07:48.020000 actors on the internet from initiating inbound connections to you. 0:07:48.020000 --> 0:07:51.940000 And certainly personal firewalls can be configured to whitelist or blacklist 0:07:51.940000 --> 0:07:54.980000 certain application traffic. 0:07:54.980000 --> 0:07:58.840000 Whitelisting means this application is allowed free rein. 0:07:58.840000 --> 0:08:01.100000 Don't check it. It's perfectly safe. 0:08:01.100000 --> 0:08:05.800000 Black listing means this application is not allowed to run at all. 0:08:05.800000 --> 0:08:08.300000 So that's what a personal firewall is. 0:08:08.300000 --> 0:08:11.400000 Now, let's contrast that or compare it against something called a host 0:08:11.400000 --> 0:08:15.320000 intrusion prevention system. 0:08:15.320000 --> 0:08:19.660000 So you see, personal firewalls really are just looking at inbound and 0:08:19.660000 --> 0:08:22.900000 outbound traffic and trying to say, okay, is something coming back to 0:08:22.900000 --> 0:08:27.040000 me a result of a connection that I already established? 0:08:27.040000 --> 0:08:30.660000 Is this reply traffic coming back to something I initiated? 0:08:30.660000 --> 0:08:33.800000 That's basically what the personal firewall is doing. 0:08:33.800000 --> 0:08:39.040000 But a host intrusion prevention system is another component of software. 0:08:39.040000 --> 0:08:40.040000 It's a software package. 0:08:40.040000 --> 0:08:45.540000 And what this is doing is it's looking at what's going on inside my host. 0:08:45.540000 --> 0:08:50.960000 In other words, in my laptop is a file doing something suspicious. 0:08:50.960000 --> 0:08:55.600000 Is the behavior of an executable something that looks like it could be 0:08:55.600000 --> 0:08:59.300000 malware that's been triggered? 0:08:59.300000 --> 0:09:03.340000 So malware can, like it says here, can be difficult to spot purely based 0:09:03.340000 --> 0:09:06.660000 on signatures. Malware is coming out so frequently. 0:09:06.660000 --> 0:09:10.780000 There's new malware every day that a lot of malware signatures have not 0:09:10.780000 --> 0:09:15.400000 been developed for yet because the file has not been recognized by the 0:09:15.400000 --> 0:09:19.200000 security experts in the industry as being malware. 0:09:19.200000 --> 0:09:24.240000 So a host intrusion prevention system will look at the behavior of the 0:09:24.240000 --> 0:09:28.980000 files and the things are going on in your system and try to detect, is 0:09:28.980000 --> 0:09:30.360000 this an anomaly? 0:09:30.360000 --> 0:09:33.440000 Is this file doing something that looks suspicious? 0:09:33.440000 --> 0:09:35.420000 Is it trying to change a registry? 0:09:35.420000 --> 0:09:39.060000 Is it trying to prevent another file from opening? 0:09:39.060000 --> 0:09:41.360000 Or is it trying to close a particular file? 0:09:41.360000 --> 0:09:44.960000 So that's what Hips actually does. 0:09:44.960000 --> 0:09:51.820000 So just like personal firewalls have rule sets, host intrusion prevention 0:09:51.820000 --> 0:09:54.700000 systems also have rule sets. 0:09:54.700000 --> 0:09:57.940000 And they can be configured to look for these particular things, for example, 0:09:57.940000 --> 0:10:01.740000 right here. Should new code be allowed to take control of other programs? 0:10:01.740000 --> 0:10:04.560000 Should it be allowed to modify registry key? 0:10:04.560000 --> 0:10:07.700000 Should it be allowed to terminate existing programs? 0:10:07.700000 --> 0:10:11.820000 Should it be allowed to install drivers and much, much more? 0:10:11.820000 --> 0:10:18.100000 So what's kind of interesting is if you just go to Google and do a search 0:10:18.100000 --> 0:10:22.380000 on Hips pre-execution detection, what does that mean? 0:10:22.380000 --> 0:10:25.920000 This is talking about the behavior of Hips where it says, okay, I've got 0:10:25.920000 --> 0:10:31.860000 some file here. If this file is allowed to do what it wants to do, could 0:10:31.860000 --> 0:10:34.280000 that possibly be malicious? 0:10:34.280000 --> 0:10:38.240000 So pre-execution detection means let's run through the code of the file. 0:10:38.240000 --> 0:10:44.960000 Let's see in advance, what would this file do if it was allowed to run? 0:10:44.960000 --> 0:10:48.320000 So this is one of the features of Hips that a personal firewall can't 0:10:48.320000 --> 0:10:53.060000 do. So for example, Sophos Int or Sophos, however you pronounce that, 0:10:53.060000 --> 0:10:58.340000 anti-virus has a host intrusion prevention system that can actually do 0:10:58.340000 --> 0:11:00.680000 that, as well as other vendors as well. 0:11:00.680000 --> 0:11:05.240000 So you can do a Google search on that, find some software that allows 0:11:05.240000 --> 0:11:09.060000 that, that's actually called behavioral-based detection. 0:11:09.060000 --> 0:11:14.740000 So behavioral-based detection is the same thing as pre-execution detection. 0:11:14.740000 --> 0:11:21.460000 And that concludes this video on personal firewalls and Hips. 0:11:21.460000 --> 0:11:24.860000 I hope you found it informative and thank you for watching.