No. Linux based firewalls are specific to systems which run Linux OS. Similarly Windows and Mac has its own set of firewalls, but their basic functionality is to protect the OS. The commercial firewalls be it hardware or software come in various flavors and possess security features which go beyond simply providing protection to OS.
What can a firewall protect in IT infrastructure in an organization and what are the other security features of firewalls besides ingress and egress filtering?
I believe that firewalls are meant to protect any aspect of an IT systems that the organizations wants to hide from in-house and outside users. This can be broken down by the access controls/management and the purpose of a user in an Organization.
It’s noted that firewalls may not be able to block ingress packets(provable attack packets), apart from installing internal firewall controls to mitigate after the penetration the border firewall, what else can a system administrator do to protect the network?
Network segregation is also a great technique to practice. By segregating your network you can prevent lateral movement if an attacker or malware gets a foothold in one part of your network. This can be done with VLANs to virtually separate it.
Monitoring and running regular backups can help protect a network. The system administrator can also protect the network by performing vulnerability and penetration tests, configuring and supporting other security tools like antivirus, IDS/IPS software.
At least once a day the firewall log should be reviewed. If there are multiple firewall admins, at least on of them should check the logs at the frequency of 1-2 hours. The size of logs is massive and millions of logs can be generated in a matter of minutes. Generally any anomalies in traffic or the kind of packets being dropped are inspected. Manually this is not possible and hence log correlation tools and techniques are used for this purpose.
What do you believe is the best/most efficient recovery plan in the case that a firewall starts to defect and allows an outside threat to damage its systems?
Hello,
Your question brings up a valid concern that many organizations must think of in order to implement an appropriate and certified cyber security program. What many people tend to forget is that firewalls are, in some sense, computers too and can have vulnerabilities as well. Among the more popular answers to this question is redundancy and contingency planning, where instead of just having a single firewall you would instead have two separate firewalls that originate and are coded by different organizations.
You could begin by doing a port scan with nmap or nessus to make sure the ports you closed truly are closed. Next you could try using the services of common ports like connecting to telnet or FTP to make sure that the connection gets denied.
Stateful packet inspection firewall checks packets and keep tracks the state of network connection. Basically, it is configured to differentiate legitimate network packets for different types of connections. Moreover, SPI firewalls are not only useful to protect network against malicious packets based on connection states, they also prevent denial-of-service attack by dropping any packets sent from sources which are not listed in ACL.
AI can add value on firewall because it improve the efficiency to detect malicious by using predictive analytics and behavioral analytics. In this way, it can automatically gather information from firewall logs to learn the pattern of attacks by itself. As a result, it can fast detect and improve the proper configuration.
Hi, Sarah Puffen
Scanning logs is a time-consuming process.My advice is to think carefully when setting firewall rules so that you can reduce the workload.Also, use penetration testing to simulate network attacks against your computer system to check for exploitable vulnerabilities.
I feel like there’s only so much a firewall can do when it comes to social engineering since it’s more about people rather than technology. However, using internal firewalls can help limit access by/to other employees and stop them from potentially leaking valuable information.
What policy examples would you implement to restrict and control the access that client-facing DMZ servers have to internal-facing servers that contain critical information to the organization?
One is Detection the other is Prevention. It’s a very interesting topic and fairly difficult to configure. Google, Youtube can provide good answers, I do it all the time. 🙂
Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.
IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.
The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.
One thing that intrigues me with firewalls is how diverse they are and which ones should go in different locations. So, for the class, is there a preference (from an Auditor or CISSP point of view) for which firewall should go where?
Do you think Linux based firewalls are as good as those commercial/expensive ones?
No. Linux based firewalls are specific to systems which run Linux OS. Similarly Windows and Mac has its own set of firewalls, but their basic functionality is to protect the OS. The commercial firewalls be it hardware or software come in various flavors and possess security features which go beyond simply providing protection to OS.
Really? cool.
I have very good experience with FWs sometimes build them from scratch too.
What can a firewall protect in IT infrastructure in an organization and what are the other security features of firewalls besides ingress and egress filtering?
I believe that firewalls are meant to protect any aspect of an IT systems that the organizations wants to hide from in-house and outside users. This can be broken down by the access controls/management and the purpose of a user in an Organization.
It’s noted that firewalls may not be able to block ingress packets(provable attack packets), apart from installing internal firewall controls to mitigate after the penetration the border firewall, what else can a system administrator do to protect the network?
Network segregation is also a great technique to practice. By segregating your network you can prevent lateral movement if an attacker or malware gets a foothold in one part of your network. This can be done with VLANs to virtually separate it.
Monitoring and running regular backups can help protect a network. The system administrator can also protect the network by performing vulnerability and penetration tests, configuring and supporting other security tools like antivirus, IDS/IPS software.
How many frequency that IT team should review firewall log? What is important concerns should they review?
At least once a day the firewall log should be reviewed. If there are multiple firewall admins, at least on of them should check the logs at the frequency of 1-2 hours. The size of logs is massive and millions of logs can be generated in a matter of minutes. Generally any anomalies in traffic or the kind of packets being dropped are inspected. Manually this is not possible and hence log correlation tools and techniques are used for this purpose.
What do you believe is the best/most efficient recovery plan in the case that a firewall starts to defect and allows an outside threat to damage its systems?
Hello,
Your question brings up a valid concern that many organizations must think of in order to implement an appropriate and certified cyber security program. What many people tend to forget is that firewalls are, in some sense, computers too and can have vulnerabilities as well. Among the more popular answers to this question is redundancy and contingency planning, where instead of just having a single firewall you would instead have two separate firewalls that originate and are coded by different organizations.
Which popular tools can be used for performing vulnerability assessment of the configuration of firewall policies ?
You could begin by doing a port scan with nmap or nessus to make sure the ports you closed truly are closed. Next you could try using the services of common ports like connecting to telnet or FTP to make sure that the connection gets denied.
what role does SPI play in the filtering mechanism for examining packets ?
Stateful packet inspection firewall checks packets and keep tracks the state of network connection. Basically, it is configured to differentiate legitimate network packets for different types of connections. Moreover, SPI firewalls are not only useful to protect network against malicious packets based on connection states, they also prevent denial-of-service attack by dropping any packets sent from sources which are not listed in ACL.
What role do you think AI will play in improving firewalls and will it help get rid of the issue of improper configuration?
AI can add value on firewall because it improve the efficiency to detect malicious by using predictive analytics and behavioral analytics. In this way, it can automatically gather information from firewall logs to learn the pattern of attacks by itself. As a result, it can fast detect and improve the proper configuration.
What strategy do you think is the most effective when scanning a firewall log file?
Hi, Sarah Puffen
Scanning logs is a time-consuming process.My advice is to think carefully when setting firewall rules so that you can reduce the workload.Also, use penetration testing to simulate network attacks against your computer system to check for exploitable vulnerabilities.
How does a firewall stand in social engineering attack? Or an attack from an employee?
I feel like there’s only so much a firewall can do when it comes to social engineering since it’s more about people rather than technology. However, using internal firewalls can help limit access by/to other employees and stop them from potentially leaking valuable information.
What policy examples would you implement to restrict and control the access that client-facing DMZ servers have to internal-facing servers that contain critical information to the organization?
Several methods: Network segregation/ VPN/ implementing ACL in FW, routers, switches.
What are the differences between IDS/IPS firewalls and how do they work?
One is Detection the other is Prevention. It’s a very interesting topic and fairly difficult to configure. Google, Youtube can provide good answers, I do it all the time. 🙂
Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.
IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.
The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.
One thing that intrigues me with firewalls is how diverse they are and which ones should go in different locations. So, for the class, is there a preference (from an Auditor or CISSP point of view) for which firewall should go where?