Bangladesh University of Professionals (BUP)

M.Sc. in Cyber Security

Course Code: MCS 1101

Course Name: Cyber Security Fundamentals
Assignment
on
Firewall & RBAC design for Windows 11 using Firewall

Submitted To: Submitted By:

Engr. Md. Mushfiqur Rahman Sree Pradip Kumer Sarker
ID No: 24525201005
Guest Faculty, Dept of CE
M.Sc. in Cyber Security
Bangladesh University of Professionals (BUP)
BUP, Dhaka, Bangladesh.
Dhaka, Bangladesh.

0
 Firewall
What is a firewall?
Firewalls can be viewed as gated borders or gateways that manage the travel of permitted and
prohibited web activity in a private network. The term comes from the concept of physical walls
being barriers to slow the spread of fire until emergency services can extinguish it. By comparison,
network security firewalls are for web traffic management typically intended to slow the spread of
web threats.
Firewalls create 'choke points' to funnel web traffic, at which they are then reviewed on a set of
programmed parameters and acted upon accordingly. Some firewalls also track the traffic and
connections in audit logs to reference what has been allowed or blocked.
Firewalls are typically used to gate the borders of a private network or its host devices. As such,
firewalls are one security tool in the broader category of user access control. These barriers are
typically set up in two locations on dedicated computers on the network or the user computers and
other endpoints themselves (hosts).

How do firewalls work?

A firewall decides which network traffic is allowed to pass through and which traffic is deemed
dangerous. Essentially, it works by filtering out the good from the bad, or the trusted from the
untrusted. However, before we go into detail, it helps to understand the structure of web-based
networks.
Firewalls are intended to secure private networks and the endpoint devices within them, known as
network hosts. Network hosts are devices that ‘talk’ with other hosts on the network. They send
and receive between internal networks, as well as outbound and inbound between external
networks.
Computers and other endpoint devices use networks to access the internet and each other.
However, the internet is segmented into sub-networks or 'subnets' for security and privacy. The
basic subnet segments are as follows:
External public networks typically refer to the public/global internet or various extranets.
Internal private network defines a home network, corporate intranets, and other ‘closed’
networks.
Perimeter networks detail border networks made of bastion hosts — computer hosts dedicated
with hardened security that are ready to endure an external attack. As a secured buffer between
internal and external networks, these can also be used to house any external-facing services
provided by the internal network (i.e., servers for web, mail, FTP, VoIP, etc.). These are more
secure than external networks but less secure than internal. These are not always present in simpler
networks like home networks but may often be used in organizational or national intranets.

1
Screening routers are specialized gateway computers placed on a network to segment it. They are
known as house firewalls on the network-level. The two most common segment models are the
screened host firewall and the screened subnet firewall:
 Screened host firewalls use a single screening router between the external and internal
networks. These networks are the two subnets of this model.
 Screened subnet firewalls use two screening routers— one known as an access router
between the external and perimeter network, and another known as the choke router
between the perimeter and internal network. This creates three subnets, respectively.
Both the network perimeter and host machines themselves can house a firewall. To do this, it is
placed between a single computer and its connection to a private network.
 Network firewalls involve the application of one or more firewalls between external
networks and internal private networks. These regulate inbound and outbound network
traffic, separating external public networks—like the global internet—from internal
networks like home Wi-Fi networks, enterprise intranets, or national intranets. Network
firewalls may come in the form of any of the following appliance types: dedicated
hardware, software, and virtual.
 Host firewalls or 'software firewalls' involve the use of firewalls on individual user devices
and other private network endpoints as a barrier between devices within the network. These
devices, or hosts, receive customized regulation of traffic to and from specific computer
applications. Host firewalls may run on local devices as an operating system service or an
endpoint security application. Host firewalls can also dive deeper into web traffic, filtering
based on HTTP and other networking protocols, allowing the management of what content
arrives at your machine, rather than just where it comes from.
A network firewall requires configuration against a broad scope of connections, whereas a host
firewall can be tailored to fit each machine's needs. However, host firewalls require more effort to
customize, meaning that network-based are ideal for a sweeping control solution. But the use of
both firewalls in both locations simultaneously is ideal for a multi-layer security system.
Filtering traffic via a firewall makes use of pre-set or dynamically learned rules for allowing and
denying attempted connections. These rules are how a firewall regulates the flow of web traffic
through your private network and private computer devices. Regardless of type, all firewalls may
filter by some combination of the following:
 Source: Where an attempted connection is being made from.
 Destination: Where an attempted connection is intended to go.
 Contents: What an attempted connection is trying to send.
 Packet protocols: What ‘language’ an attempted connection is speaking to carry its
message. Among the networking protocols that hosts use to ‘talk’ with each other, TCP/IP
protocols are primarily used to communicate across the internet and within intranet/sub-
networks.
 Application protocols: Common protocols include HTTP, Telnet, FTP, DNS, and SSH.

2
Source and destination are communicated by internet protocol (IP) addresses and ports. IP
addresses are unique device names for each host. Ports are a sub-level of any given source and
destination host device, similar to office rooms within a larger building. Ports are typically
assigned specific purposes, so certain protocols and IP addresses using uncommon ports or
disabled ports can be a concern.
By using these identifiers, a firewall can decide if a data packet attempting a connection is to be
discarded-silently or with an error reply to the sender or forwarded.

Importance of firewalls
So, what is the purpose of a firewall and why are they important? Networks without protection are
vulnerable to any traffic that is trying to access your systems. Harmful or not, network traffic
should always be vetted.
Connecting personal computers to other IT systems or the internet opens up a range of benefits,
including easy collaboration with others, combining resources, and enhanced creativity. However,
this can come at the cost of complete network and device protection. Hacking, identity theft,
malware, and online fraud are common threats users could face when they expose themselves by
linking their computers to a network or the internet.
Once discovered by a malicious actor, your network and devices can easily be found, rapidly
accessed, and exposed to repeated threats. Around-the-clock internet connections increase the risk
of this (since your network can be accessed at any time).
Proactive protection is critical when using any sort of network. Users can protect their network
from the worst dangers by using a firewall.

What does firewall security do?

What does a firewall do, and what can a firewall protect against? The concept of a network security
firewall is meant to narrow the attack surface of a network to a single point of contact. Instead of
every host on a network being directly exposed to the greater internet, all traffic must first contact
the firewall. Since this also works in reverse, the firewall can filter and block non-permitted traffic,
in or out. Also, firewalls are used to create an audit trail of attempted network connections for
better security awareness.
Since traffic filtering can be a rule set established by owners of a private network, this creates
custom use cases for firewalls. Popular use cases involve managing the following:
 Infiltration from malicious actors: Undesired connections from an oddly behaving
source can be blocked. This can prevent eavesdropping and advanced persistent threats
(APTs).
 Parental controls: Parents can block their children from viewing explicit web content.

3
  Workplace web browsing restrictions: Employers can prevent employees from using
company networks to access certain services and content, such as social media.
 Nationally controlled intranet: National governments can block internal residents' access
to web content and services that are potentially dissident to a nation's leadership or its
values.
However, firewalls are less effective at the following:
1. Identifying exploits of legitimate networking processes: Firewalls do not anticipate
human intent, so they cannot determine if a ‘legitimate’ connection is intended for
malicious purposes. For example, IP address fraud (IP spoofing) occurs because firewalls
don't validate the source and destination IPs.
2. Prevent connections that do not pass through the firewall: Network-level firewalls
alone will not stop malicious internal activity. Internal firewalls such as host-based ones
will need to be present in addition to the perimeter firewall, to partition your network and
slow the movement of internal ‘fires.’
3. Provide adequate protection against malware: While connections carrying malicious
code can be halted if not allowed, a connection deemed acceptable can still deliver these
threats into your network. If a firewall overlooks a connection as a result of being
misconfigured or exploited, an antivirus protection suite will still be needed to clean up
any malware that enter.

Types of firewalls
(Based On implementation)
Firewalls play a crucial role in network security, acting as a barrier between external threats and
protected systems. Let’s explore the different types of firewalls based on their implementation:
Hardware Firewalls:
 These firewalls are physical devices that sit between your internal network and the external
world (such as the internet).
 They operate at the network level (Layer 3) and can filter traffic based on IP addresses,
ports, and protocols.
 Hardware firewalls are commonly used in corporate environments to protect entire
networks.
Software Firewalls:
 Software firewalls run as applications or services on individual computers or servers.
 They operate at the host level (Layer 7) and can control traffic based on specific
applications or services.
 These firewalls are often installed on endpoints (e.g., laptops, desktops) to provide
localized protection.
4
Cloud-Based Firewalls:
 Cloud firewalls are deployed in cloud environments (such as AWS, Azure, or Google
Cloud).
 They protect virtual machines, containers, and other cloud resources.
 Cloud firewalls can be managed centrally and scaled dynamically based on workload
demands.
Unified Threat Management (UTM):
 UTM firewalls combine multiple security features into a single appliance.
 They include functions like intrusion detection/prevention, antivirus, content filtering, and
VPN.
 UTMs are suitable for small to medium-sized businesses.
Next-Generation Firewalls (NGFW):
 NGFWs go beyond traditional packet filtering.
 They inspect application-layer traffic, identify applications, and enforce granular policies.
 NGFWs often include threat intelligence and intrusion prevention capabilities.
Web Application Firewalls (WAF):
 WAFs specifically protect web applications from attacks.
 They analyze HTTP/HTTPS traffic, detect and block malicious requests, and prevent
common web vulnerabilities.
Database Firewalls:
 These firewalls secure databases by monitoring and controlling database traffic.
 They prevent unauthorized access, SQL injection, and other database-related threats.
Container Firewalls:
 Container firewalls protect containerized applications and microservices.
 They ensure that communication between containers adheres to security policies.
Firewalls-as-a-Service (FWaaS):
 FWaaS is a cloud-based firewall service provided by third-party vendors.
 It offers scalable, subscription-based firewall protection without the need for on-premises
hardware.
Remember that choosing the right type of firewall depends on your specific use case, network
architecture, and security requirements

5
 Types of firewalls
(Based on Operational Characteristics)
Static Packet Filtering Firewalls:
 These firewalls make filtering decisions based on static rules defined by administrators.
They examine individual packets and allow or block them based on criteria such as source
and destination IP addresses, ports, and protocols.
Dynamic Packet Filtering Firewalls:
 Unlike static packet filtering, these firewalls keep track of the state of active connections.
They maintain a state table to monitor the state of TCP connections and dynamically adjust
filtering rules accordingly, which enhances security by preventing certain types of attacks.
Proxy Firewalls:
 Proxy firewalls act as intermediaries between internal and external networks. They
intercept and inspect incoming and outgoing traffic at the application layer. Instead of
allowing direct connections, they establish separate connections on behalf of clients,
providing additional security features such as content filtering and caching.
Next-Generation Firewalls (NGFW):
 These advanced firewalls integrate traditional firewall features with additional capabilities
such as deep packet inspection, intrusion prevention, application-level filtering, and user
identity awareness. NGFWs offer granular control over network traffic and can make
intelligent security decisions based on application-specific context.
Stateful Inspection Firewalls:
 Also known as dynamic packet filtering, these firewalls combine the functions of
traditional packet filtering with the ability to track the state of active connections. They
maintain a state table to monitor the state of TCP connections and make filtering decisions
based on the context of the traffic.
Intrusion Detection and Prevention Systems (IDPS):
 While not strictly firewalls, IDPSs are often integrated with firewall functionality. They
monitor network and/or system activities for malicious activities or policy violations and
can take action to prevent or mitigate security incidents.
These classifications offer a comprehensive view of the diverse landscape of firewalls, each
serving different needs in network security based on their implementation and operational
characteristics.

6
 Stateful firewall
A stateful firewall is a type of firewall that operates at the network layer, which is considered
layers 3 and 4 of the Open Systems Interconnection (OSI) model. Stateful firewalls work to
identify when unauthorized individuals try to access a client’s network and analyze data within
packets to check if they contain malicious code.
Stateful firewalls maintain a state table that records information about ongoing network
connections. When a packet arrives at the firewall, it is checked against the state table to determine
if it belongs to an established connection. If the packet matches an existing connection in the state
table, it is allowed to pass through. This process is often referred to as stateful packet inspection.
 Improved security. By maintaining connection states, stateful firewalls can identify and
block unauthorized or suspicious network traffic. They can also prevent various types of
attacks, such as IP spoofing, port scanning, and connection hijacking. This can help quickly
identify problems with less work for your IT team and less downtime for your clients.
 Simplified rule configuration. Stateful firewalls can allow returning packets for outgoing
connections without the need for explicit rules for each response packet. For MSPs, this
simplifies the process of rule management and reduces the chances of misconfigurations.
 Enhanced performance. Stateful firewalls can process packets more efficiently by
leveraging the state information stored in the state table. They can quickly determine the
state of a packet and make forwarding decisions without extensive packet inspection for
each individual packet, which saves your team time while supporting your clients’ business
needs and goals.
 Granular control. Stateful firewalls allow administrators to define policies based on the
state of a connection. This gives you granular control and greater visibility over network
traffic by allowing different rules for the initial connection establishment, ongoing
communication, and connection termination phases.

Stateless firewall
A stateless firewall is a type of firewall that filters network traffic based on individual packets
without storing information about the state or context of connections. When comparing stateless
vs. stateful firewalls, stateless firewalls make filtering decisions based only on the information
present in each packet as opposed to stateful firewalls, which maintain a state table.
Stateless firewalls are commonly deployed at the network perimeter to provide an initial level of
protection against unauthorized network traffic. However, for more advanced security
requirements or environments with complex networking needs, stateful firewalls or other security
technologies with deeper inspection and stateful capabilities may be more suitable.

7
A few benefits of stateless firewalls include:
 Simplicity. In the stateless firewall vs. stateful firewall conversation, stateless is simpler
in design and operation, which can help you to configure and implement firewalls. Stateless
firewalls focus on filtering packets based on basic header information and do not require
the maintenance of connection states, streamlining your IT processes.
 Efficiency. Stateless firewalls are generally more efficient in terms of performance
compared to stateful firewalls. Since they do not keep track of connection states, they
require that you provide fewer system resources and have lower processing overhead,
which can increase performance speed to help you serve your clients more quickly and
efficiently.
 Scalability. With more limited data processing, a stateless firewall may be able to process
additional connections, making it more suitable when helping your clients scale their
business.
 Cost. Since stateless firewalls are less complex, they may cost less than more complex
stateful firewalls. This cost benefit helps MSPs save money because you don’t have to
invest in more complex tools, which means cost savings can be passed onto clients.

Difference between stateful and stateless firewalls

There are several differences when it comes to stateless vs. stateful firewalls; however, the main
difference is in how they approach filtering network traffic and how they maintain a connection to
state information. Understanding these differences can help you serve your clients by offering
them the most appropriate tools and services.
Other differences between stateless and stateful firewalls include:
 Filtering. Stateful firewalls analyze packets by examining their headers and maintain a
state table that tracks the state of network connections. They make filtering decisions based
on the information present in each packet and the context provided by the state table, which
can provide more intelligent filtering. Stateless firewalls filter packets based only on the
information contained in each individual packet. They don’t maintain any state information
about connections, which gives less context but can be more efficient.
 Connection state tracking. Stateful firewalls keep track of the state or context of
connections by maintaining a state table. This allows them to differentiate between
legitimate packets belonging to established connections and potentially malicious or
unauthorized packets. Stateless firewalls do not track the state of connections. They treat
each packet in isolation, without knowledge of whether it is part of an established
connection or fits within the expected state of the communication.
 Application-level inspection. Stateful firewalls can offer more advanced application-level
inspection by analyzing the content and behavior of higher-level protocols, allowing for
deeper inspection and filtering at the application layer (Layer 7). Stateless firewalls
typically lack advanced application-level inspection capabilities. They primarily focus on

8
 network and transport layer information, making filtering decisions based on packet
headers rather than analyzing the content or behavior of higher-level protocols.
 Complexity and flexibility. Stateful firewalls have more complex designs and operations
because of the need for connection state tracking. Stateful provides more advanced
functionality and flexibility, which can accommodate more dynamic networking
environments. Stateless firewalls are more suitable for basic packet filtering needs and
scenarios where performance is a critical factor. However, they may struggle to handle
complex networking requirements.
The choice between stateful vs. stateless firewalls will depend on the specific security
requirements, network environment, and performance considerations of your client’s organization.
Factors like secure remote work environments may play a role in the types of firewalls you use to
ensure the utmost protection.

Statistical Firewall
Statistical firewalls are a type of network security device that employs statistical analysis
techniques to identify patterns and anomalies in network traffic. Unlike traditional firewalls that
rely on static rules or signatures to filter traffic, statistical firewalls analyze the behavior and
characteristics of network traffic to detect potential threats.

Here's how statistical firewalls work and some key characteristics:

 Behavior Analysis: Statistical firewalls monitor network traffic and analyze various
attributes, such as packet size, frequency, timing, and protocols used. They build statistical
models based on normal patterns of network behavior.
 Anomaly Detection: By comparing observed network traffic to the established statistical
models, statistical firewalls can detect deviations or anomalies that may indicate malicious
activity or potential security threats. These anomalies could include unusual spikes in
traffic, unexpected changes in traffic patterns, or deviations from normal behavior.
 Adaptive Filtering: Statistical firewalls can dynamically adjust their filtering criteria
based on the detected anomalies or changes in network behavior. This adaptive approach
allows them to respond to emerging threats and evolving attack techniques.
 Zero-Day Threat Detection: Unlike signature-based systems that rely on known patterns
or signatures of known threats, statistical firewalls are effective at detecting previously
unknown or zero-day threats. They can identify suspicious behavior even if it doesn't match
any known attack signatures.
 Reduced False Positives: Statistical firewalls can help reduce false positives compared to
traditional rule-based systems. By analyzing network behavior in context, they can better
distinguish between normal and abnormal activities, minimizing the likelihood of
incorrectly flagging legitimate traffic as malicious.
 Network Performance Monitoring: In addition to security purposes, statistical firewalls
can also provide insights into network performance and efficiency. By monitoring traffic

9
 patterns and analyzing network behavior, they can identify bottlenecks, optimize resource
allocation, and improve overall network performance.
 Scalability: Statistical firewalls are often scalable and can handle large volumes of
network traffic efficiently. They are suitable for deployment in enterprise networks, data
centers, and other high-traffic environments.
Overall, statistical firewalls offer an advanced approach to network security by leveraging
statistical analysis techniques to detect and mitigate potential threats in real-time. They
complement traditional firewall technologies and enhance the overall security posture of an
organization's network infrastructure.

Rule-Based Vs. Role-Based Access Control

What is the Difference?
Rule-Based Access Control
In this form of RBAC, you’re focusing on the rules associated with the data’s access or restrictions.
These rules may be parameters, such as allowing access only from certain IP addresses, denying
access from certain IP addresses, or something more specific. In a more specific instance, access
from a specific IP address may be allowed unless it comes through a certain port (such as the port
used for FTP access). These types of specificities prevent cybercriminals and other ne’er-do-wells
from accessing your information even if they do find a way into your network. Rule-Based Access
Control can also be implemented on a file or system level, restricting data access to business hours
only, for instance.

Role-Based Access Control

When dealing with role-based access controls, data is protected in exactly the way it sounds like
it is: by user roles. Users are sorted into groups or categories based on their job functions or
departments, and those categories determine the data that they’re able to access. Human Resources
team members, for example, may be permitted to access employee information while no other
role-based group is permitted to do so. Role-based access controls can be implemented on a very
granular level, making for an effective cybersecurity strategy. Perhaps all of HR can see users'
employment records, but only senior HR members need access to employees' social security
numbers and other PII.

What's the Difference When It Comes to User Access?

The primary difference when it comes to user access is the way in which access is determined.
Role-based access depends heavily on users being logged into a particular network or application
so that their credentials can be verified.

10
Rule-based access may be applied to more broad and overreaching scenarios, such as allowing all
traffic from specific IP addresses or during specific hours rather than simply from specific user
groups.
In some situations, it may be necessary to apply both rule-based and role-based access controls
simultaneously. For example, if you had a subset of data that could be accessed by Human
Resources team members, but only if they were logging in through a specific IP address (i.e. from
their office computer, on the office network). This would essentially prevent the data from being
accessed from anywhere other than a specific computer, by a specific person.

Applying 4 Security Rule for windows Firewall:

Blocking updated malicious IP addresses writing firewall rule using python code:
To get IP for blocking abuse.ch (https://feodotracker.abuse.ch/blocklist/) we can go to this site and
collect our malicious IP to block them manually. But it will take a long time to add one by one to
the firewall rules. Also, this list get updates every 5 mints. So it will be really stressful to maintain
this list as blacklist in firewall so what we can do we can write python code to download that list
from that website and split the csv file line by line and add it to the firewall rules inbound and
outbound.
Run CMD as administrator and run the python code and we will see that address has been added
and given confirmation message in command prompt:

11
Now we can check in firewall inbound and outbound rules:

Block Application using Python Scripts:

12
Block Websites using Python Scripts:

13
Block Ports using Python Scripts:

14
15