UTS Cybersecurity: Firewall Configuration & Management - LEC

Yoshua Gichara Eliazar / 00000051375

1. Command and control stages

Command and Control is the exercise of authority and direction by a properly
designated commander over assigned and attached forces in the accomplishment of the
mission. Command and control functions are performed through an arrangement of
personnel, equipment, communications, facilities, and procedures employed by a
commander in planning, directing, coordinating, and controlling forces and operations in
the accomplishment
Attack: This Cyber ​Attack is created from between 2 infected endpoints and a C&C
server, which is a master server designed to listen to the individual compromised
endpoint and respond with appropriate attack commands. The terms "bot" and "botnet"
are often used to describe an infected endpoint and a collection of infected endpoints that
are simultaneously controlled by a C&C server. C&C traffic must be carried out in
stealth mode. The server will have full control over every connected user and can take or
even destroy any data owned by other users.
Defense: C&C activities often occur quickly and infrequently it can be as simple as
running a very simple script or Year is at the top. C&C is usually the most advanced
stage of an attack, so the most sophisticated defense strategy is needed to defeat the
attacker in the C&C phase.
2. A firewall requires something called a security zone so that each zone has good security.
Zone is a logical grouping of active traffic network. Traffic in a zone is permitted by
default. Traffic between zone is rejected by default. Each interface is assigned to a single
zone. A zone can include multiple physical or logical interfaces. Different zone types
support only specific interfaces types Tap Zone, Layer 2 zone, Layer 3 zone, Tunnel
zone, and virtual wire zone.
Creating a security zones
a. Specify zone name
b. Specify zone type
c. Assign interfaces:
i. Must be appropriate type
ii. Unassigned interfaces do not process traffic.
 d. Configure a tap interface
Network > Interfaces > Ethernet >
e. Configuring a Virtual Wire Object
i. A Virtual Wire object connects to Virtual Wire interfaces.
ii. A virtual wire can accept traffic based on 802.1Q VLAN tags:
iii. 0 = untagged traffic
Network > Interfaces > Ethernet > Select_interface
Virtual Wire Subinterfaces
a. Read and process traffic based on:
b. VLAN tags (1-4094)
c. VLAN tags and IP classifiers (source IP)
d. IP classifiers (untagged traffic, source IP)
e. Common uses include:
i. More granular security rules
ii. Logically splitting network traffic
f. Configure Layer 2 Interfaces
i. Provide switching between two or more interfaces through a VLAN object.
ii. Typically used when no routing is needed 20 Firewall.
g. Configure Layer 3 Interfaces
i. Enable routing between multiple interfaces:
1. Requires a virtual router
2. Can require network configuration to accommodate new IP
addresses
Configuring a Layer 3 Interface: Config
Network > Interfaces > Ethernet > Select_interface
3. Security Profile
While Security policy rules enable you to allow or block traffic on your network,
Security Profiles help you define an allow but scan rule, which scans allowed
applications for threats, such as virus, malware, spyware, and DDoS attacks. When
traffic matches the allow rule defined in the Security policy rule, the Security Profile(s)
attached to the rule are applied for further content inspection rules such as antivirus
checks and data filtering. Security Profiles are not used in the match criteria of a traffic
flow. The Security Profile is applied to scan traffic after the application or category is
allowed by the Security policy rule.
 The firewall provides default Security Profiles that you can use out of the box to
begin protecting your network from threats. Security Policy Rule Types specifies
whether a rule applies to traffic within a zone, between zones, or both. Additionally,
security profiles play an important role in regulatory compliance, helping to comply with
industry-specific privacy and data regulations. Overall, a Security Profile, when used in
conjunction with a Security Policy establishing a comprehensive security framework that
provides effective protection against a wide range of cyber risks.

4. APP ID

Multiple techniques to label traffic by application rather than just port. App-ID uses
multiple identification mechanisms to determine the exact identity of applications
traversing the firewall.

Accurate traffic classification is the primary function of any firewall, with the result
becoming the basis of the Security policy. Security rules within a Palo Alto Networks
firewall can specify applications to allow or block. Traditional firewalls classify traffic
by port and protocol, which at one point was a satisfactory mechanism for securing the
network perimeter. However, today’s applications can easily bypass a port-based firewall
by hopping ports, using SSL and SSH encrypted traffic, sneaking across port 80, or using
nonstandard ports. App-ID is the Palo Alto Networks traffic classification mechanism
that addresses the traffic classification limitations that plague traditional firewalls. In the
example, the port-based Security policy rule allows any traffic from the private zone to
the public zone as long as it is going to ports 20 and 21 (as defined in the service
service-ftp). The actual traffic might or might not be FTP traffic. The application-based
Security policy rule allows only FTP traffic from the private zone to the public zone that
is going to ports 20 and 21 (as defined by the service setting of application-default).

Palo Alto Networks App-ID uses four major technologies to help identify
applications:

▪ Application signatures: A database of application signatures updated as part of the

firewall content updates

▪ Unknown protocol decoder: An App-ID heuristics engine used to look at patterns of

communication. It attempts to identify the application based on its network behavior. For
example, this type of detection is required for applications that use proprietary
end-to-end encryption, such as Skype and encrypted BitTorrent.

▪ Known protocol decoders: A set of application decoders that understand the syntax
and commands of common applications

▪ Protocol decryption: SSL and SSH decryption capabilities

Network traffic is first classified based on its IP address and port. The firewall
consults the Security policy to determine if it should allow or block the traffic based on
IP address and port. During this initial Security policy check, the application is set to any.
If the traffic is allowed, then a session is created and App-ID then looks for an
application signature. The firewall uses its known protocol and unknown protocol
decoders to identify the application.

If App-ID determines that either SSL or SSH encryption is in use and a Decryption
policy is configured, the traffic flow could be decrypted and the unknown and known
protocol decoders could be applied to the decrypted traffic to detect an application
signature. If the traffic is not decrypted, then the traffic would be identified as the SSH or
SSL application. If an application signature cannot be identified, the traffic can be
labeled as unknown-tcp or unknown-udp. After an application has been identified, the
firewall checks the Security policy to determine whether to block, allow, or allow and
scan for threats.

IPS is similar to IDS, only IPS is also able to block potential threats. They monitor,
log and report activity, similar to an IDS, but they are also able to stop threats without
involving system administrators. If IPS is not set correctly, it can also reject legitimate
traffic, making it not suitable for all applications.
App-ID cannot identify the traffic from only a TCP syn packet. Even after the TCP
three-way handshake has completed, the firewall would report insufficient-data rather
than an application name. However, when an HTTP GET is detected, App-ID can report
the application as web-browsing. As more packets are received, App-ID might be able to
further classify the traffic. In the illustration, the traffic is further identified as
facebook-base and then facebook-chat.