MIS 5214 - Section 001 - David Lanter
February 17, 2021 by Wade Mackey 29 Comments
Nicholas Fabrizio says
February 18, 2021 at 7:09 pm
Firewalls are an important part of securing a network which can include examining traffic coming into the network from the internet (ingress filtering) and traffic going out to the internet (egress filtering). There are six filtering methods that firewalls could use to examine traffic with each having their own unique strengths and weaknesses. The most common method is stateful packet inspection (SPI) because it will remember the state of connections and know whether to accept or drop the packets by verifying the status in a connections table. Also, SPI firewalls by default will prevent external hosts from opening connections to internal hosts which is why this type of firewall is most commonly used as the border firewall. Another filtering method firewalls use is network address translation, which will intercept traffic leaving the network and replace the source IP address and port number with stand-in numbers. This is to help prevent external attackers from learning internal IP addresses and port numbers. In conclusion, firewalls are crucial in securing networks especially using the defense in depth strategy, but the appropriate firewalls need to be used depending on their purpose. A firewall with inadequate resources to handle traffic could effectively cause a denial of service if those resources become depleted or a firewall not using the correct filtering method could open attack vectors.
Megan Hall says
February 19, 2021 at 2:25 pm
One of the key points that stood out to me from this reading was the concept of Defense in Depth. The Chapter did a good job explaining the differences between the Static Packet Filtering, Stateful Packet Inspection, Network Address Translation and Application Proxy Firewalls and it also did a good job explaining where these different technologies can reside. However, none of these firewalls or filtering provides a perfect solution. In addition, there is a tradeoff between layers of security and capacity needed for processing/storage. The concept of Defense in Depth stood out because it can allow for different layers of protection. I think it’s important that there be a strategy and meaningful planning before implementing these different layers of defense, to make sure there is effective risk management and protection against the most likely threats.
Elias Harake says
February 22, 2021 at 11:47 pm
Hi Megan, that is a great point that you mention here. There is a very evident trade-off between layers of security and the capacity needed for processing or storage. The correlation is that the more security layers implement the less efficient processing data capability. This is why organization planning to create or implement stronger firewalls need to find the right balance, whether to increase securitization by decreasing data transmission efficiency.
Christopher Clayton says
February 20, 2021 at 11:57 am
What I gained from Chapter 6 Firewall reading is a better insight of the major function of a firewall, which to my understanding is basically a gatekeeper that monitors and prevents any attempts of unwelcome network traffic from coming through. A firewall filter is arranged with a set of rules that determines when to accept or deny entrance. If the packet appears to not be a preventable attack, then it is accepted in the network, otherwise it is denied or dropped. In the case there’s a traffic overload, all packets will be dropped for security purposes.
Panayiotis Laskaridis says
February 22, 2021 at 6:58 pm
I like how you explained the functions of the firewall. Sometimes we overcomplicate things in the realm of tech so it’s important that we’re constantly appropriately simplifying them.
Charlie Corrao says
February 20, 2021 at 6:15 pm
One topic I found interesting was the discussion around logging all packets vs logging only dropped packets. After doing the reading, I think all packets should be logged, no matter if they were passed or dropped. While this does increase the costs for the company, it allows for the security team to do a deeper investigation if needed. The packets that were stopped could have been decoy packets, which gave the hackers info into how the firewall is configured. They could then use this info to send packets that would get through. If the company only logs dropped packets, they would see the failed attempts, but the actual malicious packet would go through undetected, and would not be logged. It would then be more difficult to investigate that packet and may skew their investigation.
Jonathan Mettus says
February 21, 2021 at 1:25 pm
Everything always seems to come back to the cost/benefit discussion. Logging all packets definitely gives greater insight into traffic and enhances an organization’s ability to investigate. However, it also either increases the amount of disk space needed to store logs, or limits the time period for which logs are held. As they mention in the book, the packets that the firewall doesn’t successfully stop may be more dangerous (since they weren’t blocked). I definitely think that logging all packets should be enabled where feasible because of the benefits.
Lakshmi Surujnauth says
February 21, 2021 at 5:02 am
An interesting takeaway from this reading is on the topic of IPS/IDS. IPSs, even though it was born out of IDSs are far more effective, with the latter acting more of a surveillance tool for suspicious events, while the former aims to prevent attacks (e.g. DoS). The ASICs and confidence spectrum feature of IPSs allow for faster filtering even when traffic volumes are high and identification of attacks, ranging from likely, very likely or provable, gives entities the opportunity to stop traffic at the high end of the confidence spectrum. Packets are dropped for attacks identified at the high end of IPS confidence spectrum, similar to firewalls dropping provable packets. Additionally, traffic is limited to a certain bandwidth which results in network not being overloaded. Overall, IPS provides a solid filtering method .
February 22, 2021 at 3:58 pm
Lakshmi, I do agree that IPS can provide a solid filtering method. I thought it was interesting about the ASICs allowing for faster filtering, while also allowing it to be somewhat risk-based, based on the confidence spectrum. One thing I do think is important to note is that similar to how firewalls use rules to filter traffic, the IPS is going to use some sort of policy, signature, or anomaly-based approach to functioning and identifying/preventing potential attacks. I think it’s important to note, as the book does, that for both IDS and IPS, the proper implementation often involves a lot of rules and tuning. I think a lot of organizations probably invest in a good IPS but do not invest the time and resources to set it up and configure it properly for their environment. This means the organization may not get that solid result they are looking for, as far as IPS serving as good control to prevent attacks.
Mitchell Dulaney says
February 23, 2021 at 9:02 am
Hi Lakshmi – I also think the distinct roles IDS’s and IPS’s play in an enterprise network are interesting. IPS’s actively filter packets, which is useful in decreasing the amount of monitoring required by system administrators. However, as Megan mentioned, any active / automatic filtering system poses the risk of filtering traffic that is not malicious. It’s important for network administrators to properly configure such tools, because incorrectly blocking normal business traffic would not reflect well on the network security team in the eyes of management.
Xiduo Liu says
February 21, 2021 at 10:58 am
The book detailed some firewall filtering mechanisms such as stateful packet inspection filtering, static packet filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. The stateful packet inspection is the primary inspection mechanism with the other mechanisms as complementary mechanisms depending on the specific firewall. The book also pointed out one key design element of all firewalls, specifically, when the traffic load exceeds the capability of the firewall, the firewalls are designed to drop all packets.
To-Yin Cheng says
February 21, 2021 at 11:51 am
In chapter 6, I am able to understand different types of filtering methods and protection systems. The most interested me are antivirus filtering and unified threat management. Especially how the antivirus filtering servers are working closely together with firewalls. Most of the time, firewall vendors provide a packet that working with antivirus servers. After the firewall passes the object to an antivirus server, the antivirus server will examine and filter out the viruses, worms, Trojan horses, spam, phishing, rootkits, malicious scripts, and other malware. After filtering, it returns the object to the firewall for receivers.
Christa Giordano says
February 21, 2021 at 12:21 pm
One interesting concept that was mentioned several times includes the importance of monitoring and reviewing the data holistically rather than in isolation. For example in static packet filtering, only one packet at a time is reviewed, which is limiting as many attacks can only be stopped by understanding an entire stream of packets and where that individual packets resides within the stream. Another example is the importance of the log file and that the time covered by the log file should be long enough so attacks that are spaced out over time can be detected. This can help determine if attacks are related and could be part of a larger attack or were these only separate attacks in isolation.
Ashleigh Williams says
February 21, 2021 at 11:29 pm
Christa this is a great point. I have never considered the thought of reviewing firewall data holistically. In audits we typically check whether or not firewall monitoring is being performed and incidents reviewed and remediated. However, this makes me question if there should be controls in place to ensure that events are not viewed as isolated occurrences.
February 21, 2021 at 1:03 pm
One of the most interesting aspects of Chapter 6 was the discussion around application proxy firewalls. Before this reading, I tended to think of application proxy firewalls as an obvious step up from SPI firewalls since they can filter application layer messages. Obviously, they are more processing intensive so these firewalls can handle less connections. I never thought of the (now obvious) limitation that only a few applications can be proxied. The best use is probably with HTTP/HTTPS anyway, but it is still a limitation. Common uses now include protecting internal clients from malicious web servers or protecting an internal web server from external clients.
February 22, 2021 at 4:08 pm
Jonathan – this stood out to me as well. On the surface, application proxy firewalls seem like an answer to some of the potential limitations of both static and stateful inspection firewalls, given their ability to filter application layer messages. However before reading this Chapter, I really had not taken the time before to think that only a few applications could be proxied, which is an obvious limitation to their widespread usage. And, like most things security, there is the tradeoff between a greater level of security and a higher processing-intensive operation. As you note above, and the book highlights, that does not mean these application proxy firewalls are obselete or useless. Rather they should be used as part of a defense in depth, with multiple layers of security throughout different parts of an organization’s network.
February 21, 2021 at 3:49 pm
An important takeaway from this chapter is the different kinds of firewalls in place on an enterprise network, and the concept of multihoming. An organization should always have a main border firewall, which prevents external connections from the Internet to endpoints on the internal network, and also routes external traffic to external-facing hosts in the DMZ when appropriate. the main border firewall is often paired with screening border routers, which automatically turn away certain kinds of malicious traffic, preventing the main border firewall from being overloaded. There should also be a variety of internal firewalls preventing hosts on the internal network from connecting with each other unless there is a business need for it. Finally, there are host firewalls, which exist as a final layer of firewall security, managing access to each individual host.
The practice of multihoming is related to the various firewall types. A firewall that is multihomed connects to multiple different subnets. This allows for traffic to many areas of the internal network to be managed by one firewall, and enables important security practices like the use of a DMZ subnet to quarantine public-facing web servers.
Wei Liu says
February 21, 2021 at 6:47 pm
This chapter provides an overview of how firewall provides network security by filtering incoming and outgoing network traffic. The purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. However, Firewall technology is useless without strong management. Organizations must define policies for firewalls very carefully and update them constantly. This chapter also pointed out two major problems that will face firewall administrators in the future. The first is the death of the perimeter. The second is that firewalls have long used signature detection.
February 21, 2021 at 8:09 pm
As always, the level of security needed always comes back to the business case. Better protection always equates to more money invested. To be completely honest, it can get exhausting always relating generic cyber and IT infrastructure to the business case without ever actually having a very specific example. Everything becomes very conceptual, which never completely translates to the real world. I find myself always repeating, “you wouldn’t buy a $1000 safe to hold $100.” The same always goes for cybersecurity. Security Architecture always boils down to the cost/benefit analysis.
February 23, 2021 at 9:21 am
I like the analogy you used to put the cost/benefit analysis into perspective. Adding layers of security will help make the network more secure, but it will also cost a lot of money and time to make sure these controls are configured, effectively working, and monitoring because these controls are never just set and forget. Performing a risk assessment on the network will help an organization understand how to effectively design their security architecture.
February 21, 2021 at 8:48 pm
In this week reading of Chapter 6, I learned that, if a firewall becomes overloaded with traffic, it will drop packets it cannot process. According to Boyle and Panko, dropping packets that a firewall cannot process effectively creates a self-inflicted denial of service attack against the firm. Organizations need to purchase firewalls with sufficient processing power to handle the traffic they will have to process or examine. Even if a firewall can handle the traffic when a firm purchases it, the firewall may run out of capacity later in the future. Firewalls must be able to filter traffic at high speed or the maximum speed of the lines that connect to it. If a firewall works fine at normal traffic levels, but cannot deal with traffic surges during major attacks, it is a very poor and insecure firewall. During a DoS attacks and heavy scanning attacks, traffic can increase dramatically within a firewall.
Hi Elias, this was very interesting to me too. I knew how firewalls worked, but I never thought of the possible downstream effects of them. It is vital for companies to correctly estimate their potential firewall traffic. Theoretically, a company could have their firewall taken down from stopping a DoS attack, which would make them extremely vulnerable.
Quynh Nguyen says
February 21, 2021 at 10:48 pm
My biggest take away from chapter 6 was learning about firewalls during attacks. It is important for companies to have a firewall on their servers, networks, and websites because if the firewall cannot filter all of the passing packets, it drops the packets it cannot process instead of letting them pass. This method would protect the server from being attacked by hackers however if the firewall drops a huge amount of packets it cannot pass creates a self-inflicted denial of service attack. Thus it is crucial that firms invest in firewalls with sufficient processing power to handle incoming web traffic. The firewall may run out of capacity later on so companies must also reevaluate their incoming and growing web traffic to upgrade firewall capacity, write more filtering rules, and have more firewall processing work per packet. Firewalls must be able to filter traffic at wire speed (the maximum speed of the lines that connect to it)
Michael Doherty says
February 23, 2021 at 11:38 pm
I like your comment. The self inflicted denial of service attack is important to remember. Sometimes an attack can from internally. I also like the comment that corporations must reevaluate their capacity, This is vital for considering upgrades
February 21, 2021 at 11:04 pm
I felt that Figure 6-20 ‘Firewall Architecture” is a great representation of a real life situation. This particular section, emphasize that there are different firewalls that can be used. This will help with the Defense in Depth concept. In the event of an attack, the attacker may have to go through several layers of firewalls.
February 22, 2021 at 3:37 am
Great point Mike! The use of border, internal & host firewalls definitely helps with defense in depth. If there are any configuration errors or compromises to the main firewall, there is still protection offered by the internal and host firewalls.
February 21, 2021 at 11:23 pm
They section on intrusion detection systems and intrusion prevention systems particularly stood out to me in the reading. As an IT Auditor in my organization, I also focus on SOC Reports, and one of the controls we look at in SOC Reports are whether or not IDS and IPS are in place. This reading expanded my understanding of IDS and IPS. I really appreciated the explanation of the difference between a firewalls and IDS. Firewalls only block threats that they understand to be attacks while IDS alert security teams of all possible threats. IDS are beneficial as they have better technology to detect a threat where as firewalls can only bock what they understand. While the technology of IDS are father along then firewalls, they are not the end all be all as they can likely result in many false positives which is where IPS comes into play. This section did a great job of laying the foundation for IDS and IPS.
February 22, 2021 at 4:20 pm
Ashleigh, I agree with you. In my former role as an Auditor and now my current role as manager of an IT department, I have been and currently am responsible for reviewing SOC reports. I thought overall this Chapter really did a good job explaining the differences between a variety of technologies that can be used as preventive and detective controls. As a non-technical professional, my understanding has been high-level, but this reading really gave me a lot better insight into the functioning of these different tools and technologies, including IDS and IPS, and the pros and cons of these different technologies. It also gave me good insight into how they can be layered throughout different parts of a network to provide robust protection and mitigation of risk.
February 23, 2021 at 9:07 am
Hi Ashleigh – I think you’ve identified a very important benefit to an IDS vs. a firewall. While automation is generally useful, some type of qualitative evaluation by an actual human being must also take place in many circumstances. This is where an IDS is valuable: it assists network administrators by ignoring traffic that is almost certainly benign, and flags potentially malicious traffic so that the administrators in charge can do their job and investigate. With a completely automated system, there would be false positives (normal traffic being blocked incorrectly) and false negatives (malicious traffic circumventing the automatic prevention systems).
You must be logged in to post a comment.