7.7 Operate and maintain detective and preventative measures

  • Firewalls (next generation, web application, network)
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Machine learning and Artificial Intelligence (AI) based tools

A firewall monitors and filters traffic on a network.

A firewall sits between the internet (WAN) and the local network (LAN).  A firewall could also sit between different segments of a LAN.  For example, a firewall could sit between a group of servers and the remainder of the network.

A firewall could be hardware based or software based.  A firewall could be a component of a larger network device such as a router.  In a large organization where a great deal of traffic passes through the network, a large, hardware-based firewall must be installed.  Firewalls are rated based on the volume of traffic that they can handle.  Of course, more complicated configurations can reduce the amount of traffic that a firewall can handle.

Common firewall brands include

  • Sonicwall

  • Cisco ASA (Adaptive Security Appliance)

  • Fortigate

  • Cisco Meraki

Configuration of a firewall may be

  • Through a console (requiring special commands)

  • Through a web-based GUI or software-based GUI

  • Automatically through the cloud, which is useful for organizations that deploy dozens, hundreds, or thousands of devices

An organization may select a firewall brand based on their existing network infrastructure.  For example, if the customer uses Cisco switches and routers in their network, they may choose to install Cisco ASA firewalls as well.

There are four components to a firewall configuration

  • ACL or Access Control List.  The Access Control List is a set of rules for what traffic is permitted to pass and what traffic is not permitted.  There are many types of rules, based on

    • Source IP address.  Where is the traffic coming from?  The source IP address could be on the LAN or on the WAN.  It could be a specific IP address or a range of addresses.

    • Destination IP address.  Where is the traffic going?  The destination IP address could be on the LAN or on the WAN.  It could be a specific IP address or a range of addresses.

    • Source Port Number.  What is the port number of the source traffic?  The source port could be on the LAN or on the WAN.  It could be a specific port or a range of ports.

    • Destination Port Number.  What is the port number of the destination traffic?  The destination port could be on the LAN or on the WAN.  It could be a specific port or a range of ports.

    • Username.  Access Control Lists can be user-based.  Permissions can be granted or denied to specific users based on their needs in the organization.  For example, guests can be permitted to access only the internet and not resources such as remote desktop or SQL servers.

    • Rules can be specific or could combine a combination of parameters
      • For example, a rule could say ‘Allow traffic from, port 5 to the range of IPs to’.  All traffic received from port 5 will be permitted to access destinations in the range of to  Traffic from other source IP addresses and/or ports will be rejected.  Traffic from to destinations outside of and will be rejected.

      • Always Allow.  An Always Allow rule allows all traffic matching a rule.  For example, “always allow traffic from the source IP”.  All traffic from will be permitted regardless of the port number or destination.

      • Always Deny.  An Always Deny rule denies all traffic matching a rule. For example, “always deny traffic from the source IP”.  All traffic from will be denied regardless of the port number or destination.

    • Order of Operations

      • A firewall could have dozens or thousands of rules.  The rules are ranked in order of priority.

      • When the firewall receives a piece of traffic, it starts checking the rules in order until it finds one that matches the traffic’s source and destination.  It then applies that rule to the traffic.

      • The firewall will only apply one rule to a piece of traffic.  Once that rule is applied, the firewall stops checking additional rules.

      • It is important to put the rules in order.  When a firewall receives a piece of traffic that does not match any rules, it will either allow or reject the traffic based on its configuration.

      • Many firewalls are preconfigured with two default rules

        • Always allow traffic with a source inside the network (LAN)

        • Always reject traffic with a source outside the network (WAN)

      • The two default rules should be put at the bottom of the list.
        • The first rule (allowing all traffic from inside the LAN) is dangerous because users cannot be trusted to access only safe resources on the internet.  It should be modified (broken down) into two rules.

          • Always allow traffic with a

            • Source inside the network (LAN)

            • Destination outside the network (WAN)

            • Limited to specific ports outside the network (port 80, port 443, port 3306, etc.).  The specific ports should be based on resources that users need to access.

          • Always deny traffic

            • Source inside the network (LAN)

            • Destination outside the network (WAN)

            • This rule applies second; any traffic not matching the previous rule will be denied

  • Application-Based vs Network-Based

    • An application-based firewall will analyse traffic on a deeper level than a network-based firewall

    • The network-based firewall looks at traffic source and destination IP addresses, but the application-based firewall also looks at its contents

    • The application-based firewall does not look at the packets themselves but what is inside and forwards the data to the applications that require them.

    • An analogy is a person who is screening mail.  A network-based firewall would look at the to and from addresses on the envelope before deciding whether to forward the mail.  An application-based firewall would open each envelope and look at the contents.
    • Application-based firewalls can slow down traffic because they are analyzing the contents of each packet.

  • Stateful vs Stateless

    • Consider that almost all traffic on the internet is two-way traffic.  When a user downloads a file from the internet, that file download is two-way.  The sender’s computer is sending the file, one piece at a time (in packets).  Each time the user’s computer receives a packet, it acknowledges receipt.  This is known as a connection.

    • Each connection is originated by only one party.  In this case, the person who downloaded the file originated the connection.

    • A stateless firewall applies rules based only on the source and destination IP addresses and ports of the packets., but a stateful firewall will identify which party originated the connection (whether that party was inside the network or outside), and then block or allow it based on the source.  A packet that is normally permitted or denied by an ACL may be denied or permitted by a stateful firewall.

    • A stateful firewall requires additional hardware to process the decision making.

  • Implicit Deny

    • As mentioned previously, a firewall lists its rules in order and applies the first rule that matches the traffic

    • If the traffic does not match any rule, the firewall should deny it

    • This is known as “implicit deny”

    • The last rule in the list should be to deny all traffic

Newer firewalls such as Fortigates and Cisco Meraki MX Series routers connect to the cloud.  The cloud allows them to

  • Automatically receive firmware updates

  • Automatically download and update their configuration (and allow an administrator to configure multiple devices at the same time)

  • Share threat intelligence data, even across organizations.  For example, if a firewall detects a threat, it can upload the data to the cloud, where it is shared by many firewalls across the organization.

A Web Application Firewall (WAF) is a firewall specifically designed to sit in front of a web server.  It specifically inspects and filters HTTP traffic.  It can prevent attacks such as SQL Injection and Cross Site Scripting.

A NGFW or Next Generation Firewall, also known as a Layer 7 Firewall, is part of the third generation of firewalls.  It can perform deep packet inspection and can be combined with a RADIUS server, quality of service management, and website filter.

Why do we need a NGFW?  Security threats are becoming more complicated.  The traditional firewall rules block traffic to/from specific addresses and ports.  That’s not good enough anymore, because bad traffic can come in disguised as good traffic.  Legitimate, trusted devices can become infected and used to launch attacks.  The NGFW can look inside the traffic – not just at its source or destination – to decide whether it is legitimate.

An NGFW can also verify the identity of the user sending or receiving the traffic.

A Unified Threat Management (UTM) device is the term given to most modern enterprise firewalls, which can include antivirus, antimalware, SPAM filtering, and intrusion detection tools all in one box.  A threat from a single malicious actor can enter the organization through multiple routes.  For example, a hacker could enter an organization’s network through an unsecured firewall, log in to a server that has weak credentials, and install a piece of malware that allows him to copy the corporation’s sensitive data.

UTM devices can detect patterns in network traffic and user activity.  They can send this data to the cloud where it can be further analysed to determine whether it is a threat.

A UTM must be connected to the internet to be effective.  Like any other threat management application, a UTM must be properly configured.

A Honeypot is a network device that appears to be vulnerable but is in fact designed to detect hackers.  A network security administrator creates a honeypot to identify hackers and/or to distract them from legitimate network resources.  A honeypot allows an organization to understand the motives behind the attacks (which can be used to better protect network and other resources), and the type and sophistication of the hackers.

There are several types of honeypots

  • Pure honeypot – a production system with a monitoring device on the network interface. The pure honeypot pretends that it is a legitimate machine.  The pure honeypot may be detected by some hackers.

  • High interaction honeypot – runs on a physical or virtual machine and imitates many production different systems.  The high interaction honeypot consumes a substantial amount of resources due to its sophistication.  When run on a virtual machine, the honeypot can be quickly regenerated.

  • Low interaction honeypot – simulates only necessary services, allowing more honeypots to operate with fewer resources.  Low interaction honeypots may be detected by some hackers.

  • SPAM honeypot – spammers will locate servers that use open relays (an open relay is an e-mail server that allows an unauthenticated user to send an e-mail) and use them to send e-mails.  The spammer will attempt to send e-mail test messages through the SPAM honeypot; if successful, the spammer will continue to send e-mail through the honeypot.  The SPAM honeypot tricks the hacker into thinking that his e-mails were successfully delivered.  The honeypot can detect the SPAM messages and detect the spammer.

A honeyfile is a fake file that we place on a shared drive.  A legitimate user will not access the honeyfile because it serves no legitimate purpose, but hacker who is stealing data will.  Once the honeyfile is accessed, an alarm is triggered.  We can determine who accessed the file.

A honeynet takes the honeypot one step further.  A honeynet is an entire fake network, complete with fake servers, user devices, and file shares.  Each of the fake devices may itself be a honeypot, and the file shares may contain honeyfiles.  A full high interaction honeynet may take a long time to create but can capture many hackers.

Earlier I mentioned how newer malware detection programs use machine learning to detect the malware.  If hackers could control the data that the program used to learn, then they could manipulate it into allowing back doors and malicious software. 

Well, if we set up a honeypot with a machine learning algorithm, the hackers would be tempted to feed it fake data to trick it.  We could capture the fake data, known as fake telemetry, and feed it to our real machine learning algorithm.  This would make the real algorithm even smarter because it would be able to ignore fake data.

A pseudo flaw is a fake vulnerability that is put into a system.  We make a pseudo flaw to trick a hacker into thinking that he successfully entered a system.

When we detect an intruder, we move him to a padded cell.  The padded cell pretends to be like the network but does not allow access to the data.  We might monitor the padded cell to detect and observe future attacks

A NIPS is a Network-Based Intrusion Prevention System, and a NIDS is a Network-Based Intrusion Detection System

A NIDS can only detect unauthorized access, but a NIPS can detect and react to the unauthorized access.

NIPS and NIDS have the following characteristics:

  • Signature-Based:  Similar to an antivirus program, a NIPS can detect an intrusion based on its “signature” or specific characteristics.  For example, an intrusion enters through a specific port or from a specific source IP address.  A signature-based NIPS/NIDS will not detect attacks that are zero-day or attacks that don’t match the signature.

  • Heuristic/Behavioral: Like an antivirus program, a NIPS can detect an intrusion based on the way it behaves, more like artificial intelligence.  A heuristic-based NIPS can detect zero-day attacks but has a higher rate of false positives.

  • Anomaly.  An anomaly-based NIPS/NIDS compares new traffic against a baseline.  The NIPS/NIDS calibrates itself to understand normal network behavior, and then compares new traffic against that calibration.  Traffic that does not match is denied.

  • Inline vs Passive.  An inline sensor sits between the internet and the internal network.  All traffic passes through the sensor, which decides if it should be permitted or denied.  An inline sensor can turn off the flow of bad traffic.  If the inline sensor is overloaded, it can reduce the speed or capacity of the network.  A passive sensor sits on the network but receives a copy of the traffic.  A passive sensor cannot turn off the flow of bad traffic.

  • In-Band vs Out-of-Band.  An in-band sensor is a complete system that monitors traffic and decides whether to allow or prevent it.  An out-of-band sensor monitors traffic and sends results to another system that decides whether to block it.

  • Rules.  Rules are decision making processes that the NIPS/NIDS uses to determine whether the traffic should be permitted or denied.  NIPS/NIDS can be preloaded with rules, and an administrator can add additional rules as needed.  A NIPS/NIDS with heuristic behavior can automatically create additional rules based on its findings.

  • Analytics

    • False Positive.  A false positive is when a NIPS or NIDS alerts to an intrusion attempt that is a source of legitimate network activity.

    • False Negative.  A false negative is when the NIPS or NIDS allows traffic through that is an intrusion attempt.

There must be a balance between false positives and false negatives.  Increasing the sensitivity of the NIPS/NIDS will create more false positives.  False positives that block legitimate traffic can disrupt the operations of the organization and frustrate users.  They require additional administrator attention to correct the false positives.  False negatives are dangerous because they allow intrusion attempts.  There is no way to identify a false negative until after it has occurred, and many false negatives go undetected.  Lowering the sensitivity of the NIPS/NIDS increases the number of false negatives.  A NIPS/NIDS with artificial intelligence can learn from its mistakes.

A Host-Based Intrusion Prevention or Intrusion Detection System is one that is installed on each endpoint.  Some features

  • It can detect more attacks on the endpoint than the network-based system.  The network-based system can detect more attacks on the network.

  • A host-based system might not be compatible with every type of endpoint.

  • It is more difficult to manage and might consume system resources.

  • An end user might be able to disable it.

Some other ways we might prevent attacks

  • Warning Banner – when a user attempts to log in, they are warned that this is a protected system and that they should stay out unless authorized.

  • Anti Malware software – antimalware software should be installed on all endpoints

  • User Education – teaching users about malware, social engineering, and threats

  • Whitelists – a whitelist is a list of devices or traffic sources that are authorized to access the network.  Anything that is not on the whitelist is automatically blocked. 

  • Blacklists – a blacklist is a list of devices or traffic sources that are not authorized to access the network.  Anything that is not on the blacklist is automatically permitted.