CSC 9 Ports, Protocols And Services CSC 12 Boundary Defense PDF Free Download

1y ago

23 Views

1 Downloads

928.15 KB

39 Pages

Report/dmca

Download PDF

Transcription

CSC 9Ports, Protocols and ServicesCSC 12Boundary Defense

Basics CSC RequirementsEnclavesFirewall ImplementationPowershell

CSC9:Limitation and Control of Network Ports,Protocols, and ServicesManage (track/control/correct) the ongoing operational use of ports,protocols, and services on networked devices in order to minimizewindows of vulnerability available to attackers.

CSC 9Subcontrols Five subcontrols, all protecting devices.––– One identify, one detect, three protect.Asset type is deviceFirst three are implementation group 29.1 Identify: Associate Active Ports, Services and Protocols toAsset Inventory9.2 Protect: Ensure Only Approved Ports, Protocols andServices Are Running9.3 Detect: Perform Regular Automated Port Scans

CSC 9Subcontrols 9.4 is group 1 (everybody)– 9.4 Protect: Apply Host-Based Firewalls or Port Filtering9.5 is group 3 (highest level of protection)–9.5 Protect: Implement Application Firewalls

CSC12Boundary DefenseDetect/prevent/correct the flow of information transfer betweennetworks of different trust levels with a focus on securitydamaging data 12 sub-controls covering networks, users and devices. Someprotect, some detect. 12.1 – 12.5:––For everyone: Know your boundaries, internal and external. Blockunauthorized ports.For group 2: Block malicious ip's and ports. Scan to ensureunauthorized connections can't happen. Log activities at boundaries.

CSC12Boundary Defense 12.6 – 12.8–Group 2: Deploy IDS and IPS at boundaries. Collect netflow data–Group3: Deploy IPS12.9, 12.10– Group 3: Deploy application proxy filters at boundaries. Decrypt data there12.11, 12,12–Group 2: Require multi-factor authentication for remote logins.–Group 3: Manage (scan) devices connecting through remote logins.

What is a firewall? A device that filters packets either coming into or going out of adeviceFiltering can be based on IP, TCP, UDP and other criteria relatingto a packet as well as authentication.Criteria contained in firewall rules.Firewall rule is similar to an access control entryExample: permit host 172.16.1.1 host 180.50.1.1 port Telnet

Firewall Types Packet filtering vs stateful vs proxyPacket filtering makes each filtering decision on a packet by packetbasis without regard to previous packets in any direction– Stateful firewall keeps track of packet flows can make decisionsbased on previous flow informationProxy works on a per-application basis. User sends to proxy, proxycreates new packet sourced from proxy, or blocks– This type is rarely ever seen, mostly obsoleteNanny blockWe nearly always just mean Stateful firewall

Firewall Types Network-based vs host-based–– Network-based runs on a router, multi-layer switch or dedicatedfirewall boundary deviceHost-based firewall runs on a host computerHardware vs software firewall––Hardware firewall chassis designed specifically to operate as afirewall; highest performanceSoftware runs on commodity hardware, includes host firewalls

Enclave Concept A protected Network within a NetworkSegmentation or SeparationSubnets– Vlan– Physical networks connected through routerVirtual subnet and routerAir-gapped–No network connection

Three layer application model Presentation layer– Web server with web application– Located in DMZBusiness logic layer– A protected internal subnet (enclave)– Content servers (CMS)Data base layer– A more secure internal subnetSubnet layers separated by firewallsEach has IDS/IPS

Internal Firewall Can be used to implement enclavesTraffic must go through an Internal Firewall prior to accessing or leaving aprotected Enclave networkA Centrally Managed Firewall enforcing rules based on each role wouldbe great?.– But we do not have one

Host Based Firewalls Centrally managed via GPO– On windows networksInexpensive or at least Cost EffectiveHost based can be aware of services and processes on the host thatnetwork firewalls running on separate boundary devices aren't aware of

Firewall Vendors Centrally Managed Blink Checkpoint Panda McAfee Kaspersky

Windows Advanced FW(a host firewall)The GoodThe BadBuilt In (Free)No IDSEnabled by DefaultNo central loggingStatefulIPSEC is complexCentral managementRoaming may require complex rulesW3C extended logs

Windows Adv FW Windows Firewall features– Inbound filtering– Outbound filtering– Firewall rules combined with IPsec rules– Support for complex rules– Support for logging

Default Firewall Behavior Default is to allow all outbound traffic and inbound responses. Deny allother inbound trafficQuestion: why not just turn off the service if you don't want the traffic?– May want service running for local connections only (127.0.0.1)but service may not support that– Service may have been installed without your knowledge– Port sharing

How Firewall Works Incoming packet is inspected and compared against a list of allowedtraffic.If packet matches a list entry, packet passed to TCP/IP protocol for furtherprocessing.If the packet does not match a list entry then packet is discardedIf logging is enabled, Windows creates an entry in the Firewall loggingfile

How List is Populated For responses to outbound traffic:– When enabled connection sends a packet outbound, the firewallcreates an entry in the list for response traffic.– Stateful firewalls can do thisOther Allow rules can be manually created with Advanced Security

Locations Windows Firewall with Advanced Security is a network location awareapplication– Windows stores the firewall properties based on location typesConfiguration for each location type is called a profileIn each profile you can:– Enable or disable Windows Firewall– Configure inbound and/or outbound connections– Customize logging and other settingsPresumably useful for mobile systems

Locations As the network connected to changes, the Windows Firewall profilechanges.Windows Firewall can therefore automatically allow incoming traffic for aspecific desktop management tool when the computer is on a domainnetwork but block similar traffic when the computer is connected to publicor private networks.

FW default Block VS Block All Block is Default– Blocks inbound if there is NOT a rule to allowExplicit Block All– Blocks All inbound even if there IS a rule to allow

Logging W3C Extended format, ASCII text 32MB Similar to syslog format Pfirewall.log Can change size and location Log Dropped (all dropped) Log Successful Connection creation

Configuring Windows Firewall Control Panel - Windows Firewall

Basic Firewall Configuration

Order of Rule Processing1. Rules that allow/block traffic for services2. Rules that allow traffic from computer sets3. Rules that allow traffic only if IPSEC secured4. Rules that block traffic, inbound/outbound5. Rules that allow traffic, inbound/outbound6. Default behavior for the Profile (allow/block)

Advanced Firewall Configuration Allows you to configure more complex rules, outgoing filtering, and IPsecrules