Why firewalls?

There's a lot of focus in cyber security on the risk of malware being delivered through web browsing and email we shouldn't forget that former mobile users direct penetration through hacking is still a significant issue key control to prevent this is the use of a personal firewall personal firewall in its simplest form is designed to mediate access between the personal computer and any other computer to do this it has a set of rules which instructed to either allow or deny a connection in this module will focus on the Windows firewall from the use of IP tables in Lennox

Using the Microsoft Windows Firewall

Control Panel and we can see the Windows firewall but selected the main screen of the Windows firewall as a set of links on the left into information panels in the body of the screen the top panel provides information on home or private networks and in the bottom panel public network is called our networks are only set of the new network on the computer Windows will ask whether the network is either public or private confident the network settings according to consider the firewall is on connected to a network when connected to any public network, the second panel would consider public network settings the first link of interest IS the one caption turn Windows firewall Honora when I click, a new window is displayed which has a radio buttons to set the firewall Honora off the two zones in the checkboxes to set the level of security breaches are my home network is connected through a router which contains its own firewall to stop incoming connections from the Internet site safely confident the homes to allow incoming connections to my system knowing that they will only be from home network devices this language take advantage of collaborative features such as file and printer sharing when I'm connected to a public network however I don't want to allow any Internet systems directly connected to my computer to explore: incoming connections from the Internet to increase security woman, network cover the notifications later closely the notifications on both sounds and press okay to close the win we can see the home network zone has agreed to that the public network is now showing the red band caption to indicate that we don't allow incoming connections the next option will IS change notification settings when I click on this it displays exactly the same settings window is reducing this is just another way to access the zone settings "now select the link allow an Apple feature through Windows firewall at the top of the left-hand list this link displays a list of programmes which are allowed to communicate into the networks are both the home and the public network if we scroll down we consider file and printer sharing is allowed on the home network but not when connected to a public network this is good if you click on details we can see that the service uses the SMB and RPC protocols both of which have been exploited heavily don't want to be exposed through the woman directly on the Internet which include another programming list by clicking around the estate's few seconds to populate the list of programs on the computer and allows us to select from scroll down the list and select a programme to attend this one if I press network types within that Microsoft firewall defaults

To the home network only as fine turnout press okay and then I can say that I selected program has been added with the press okay to close this window most computers come with a network communications tool called which continues to communicate between two computers from being a sender and the other a list use this program to demonstrate the features of the Windows firewall but communicating to this computer remotely don't worry for the moment about how this works as will cover network communications in more depth in the late module at the command prompt this computer setup so let's go to the neck Subdirectory and start a policeman romp or 4545 or typing and say myself a 4545 the miners are watching companies neck To listen and minus p and the port number specifies which portal is known Metrocentre immediately the Windows firewall has blocked access is asking whether we want to allow connections to the home network click on allow access in the remote console connect to the listener which i know is using ip address 10.11.3 using the command and say 10.11.345450 type hello world we consider the connection has been made in the tax been transmitted and then displayed by the listener soon as i press control see of december on the receivership of select allow an apple feature through windows firewall getting by scrolling down we can see the neck Is now no loud programme so we have protected our computer while retaining the ability to allow new connections as and when required

Setting up advanced security notifications

Now Wizard of the basic operation of Windows firewall was taken the advanced settings when I click on this link the Windows firewall with advanced security screen is displayed this is intended to system administrators in an enterprise network and is required to home users across settings here which can be useful we can see that at the main screen without profiles of private and public songs and also from additional zone called the mine this stone is the enterprise lamb the various functions in the screen can be accessed through the items on the left from the links on the main screen panels the term advanced security relates mostly to 3 additional features for connections which are designed to use in an enterprise configuration these are to ensure computers authenticate to each other before they connect the data integrity is checked all communications received the data is encrypted during transmission with already love the connections which are allowed or blocked the Windows firewall can also configure connection to be allowed only if it secured using the artistic protocol advanced security also allows us to be more restrictive on allowed connections if we click the Windows firewall properties went at the bottom of the top panel a dialogue pops up this has a Fridge of the freezer and the top fraud peace but select the private profile we can see that this top sheet has three panels state settings and logging the State panel provides the basic connection management settings that we've already covered after, customise button in the settings panel to change how the firewall response to certain events the first is a simple yes or no to the Windows firewall should tell me that its pocket connection select most of this unprecedented close the window of remove neck From programme connections and losses of the neck Listener in the command when the first time I don't get a notification that neck has been blocked on out of the sender in the remote console no one is an text nothing is received this tells me that the firewall is blocking the connection of the battle advanced settings and switch notifications back on the next panel determines whether unicast responses allowed to multicast message unicast is simply transmission to one address multicast transmission to manage normally we get a multicast response to multicast request unicast responses are sometimes used by hackers to respond to multicast events are the default is to allow unicast response was safe to switch it off the bottom panel in this window relates to merging rules were not covering that featuring this course offers okay because this dialogue box the customise button on the logging panel allows us to set what logging is maintained where the logging files are stored within single location and maximum size of the log file the default of 4 MB is fairly small we may want to increase the Windows firewall doesn't save time some versions of log files to the log file size has to be sufficient to collect enough logging few monitoring purposes which also say the logging can be enabled on either allowed connections or deny connections or box will switch those on so that we logging both in the private okay I'll close and logging panel'

Setting up detailed rules

Dallas look at how to set a detailed inbound and outbound market on inbound rules the detailed list of rules is displayed a redneck Selects rolled down and find allowing this program has resulted into rules being created which we can say about the private is restored across we can see the detailed settings with concealed the first rule with the TCP in the second row UDP around a lot of settings which can be customised and as an example will look at how we block a protocol restricted connection by IP address of the firewall to restrict access to to just TCP from the school via remote system which allows on IP address 10.1 150 right-hand panel at the top shows which set of rules are currently displayed at the bottom the specific rule okay lets at the restrictions I've highlighted the first like a role which is a TCP and offers the properties control select the scope term and other remote address of 10 to one want to 15 and applied Windows firewall tells me that an error has occurred with the defer to user setting that is expected of the croquet unluckily advanced tab and change the defer to user to blockage traverse either partner on our highlight the second leg Rule which UDP selected properties block the connection of a lets see what affect those changes have first of all that of McMahon window and set in a? And develop the remote console the Hydra which is on IP address 10.1.151 and try to connect when I type hello world presenter there's no response by the listener now open the remote console to Skopje which is on IP address 10.1 to 1.15 and try to connect this time when I first hello world and enter it is displayed on the listener Windows firewall is now restricting connections based on the IP address import the collection is coming from the monitoring link provides information screen showing the profile detailed and in the logging settings section a link to the logging file click on this wouldn't see the log entries displayed in the blue scroll down the file with an say there's a lot of entries let's lock to the block connection to pull 45458 witnessing the entry relating to activity import 4545 to drop event indicates this connection request was blocked if you're planning on doing regular log reviews you want to move these log files into Excel or third-party log analyser if you want to know more about the specific data stored in each country you can refer to the Microsoft firewall technical reference which can be accessed from the Microsoft website okay so that's a quick tour through Windows firewall

Managing and analyzing log files with ZedLan

As with saying Windows firewall provides logging ball allowed block connections was large text files logging some difficulties I'll quickly cover freeware Windows firewall log analyser from chemicals at one which provides a more manageable interface will obviously also provide some useful analysis deadline is available as a Windows download from the several sites already installed this on my computer to get straight into it on start-up resentment despite its menu screen cleverly reconfigured before the music was driven now by clicking the link in the middle of the screen that needs to know where our log files are the public when the trust is to enter the location autoexec run automatically detected close this alert and money with browse the firewall of our Windows system 32 log files firewall and select the firewall lookup hostname is setting will find hostname for every IP address we have in the log file it takes a little time to this useful in making sensible log entry the continuous refresh setting is useful if we want to maintain a real-time display of logging headlamp glass and protocols and some packets to be excluded from the analysis so we could just analyse TCP packets received by selecting TCP receive it also allows some actions to be excluded here I'm excluding Info events loss as this is just the firewall warning entry a lot in common packets which occur a lot and are associated with network management of this can be excluded to reduce the amount of unnecessary information to review side panel positions will make sure the panels in the main display are in their last position the services and protocols tab is chilled descriptions of common potent protocol numbers provide a handy reference packet analysis the suggestions tab will look at shortly okay with now close the settings window then if we select file run or just press F5 with an start the analysis after a few seconds analyse data will be displayed the individual log entries will be so before shown in the top panel formatted for easy reading each log entry has a daytime stamp on the action indicates whether the firewall block or allowed the packet the protocol on source and destination IP address importation and the packet size embarrassed like films are shown including whether this packet was central received in its basic form of review means reading through the log file looking manually for unusual activity below the log entries is the analysis by Port source IP by conversation of the power charts below show the results graphically can assist analysis by highlighting the most prevalent port or source address to finish out the present one is go back and click on edit settings announced further suggestions tab within says Iran has was the log files made a number of suggestions about our configuration based on the traffic it seen unknown malware behaviour okay so that terminates Lockett said

Introducing iptables in Linux

Lennox provides a basic firewall capabilities through the use of a program called IP tables of two limits consuls open Scorpio on the left drawn from an all use them to demonstrate how to use IP tables IP tables has a lot of features which will take hours to learn but will stick to the basics in this course of the tables is only one of a set of rule-based firewall modules and when I will cover the rest here today include Abhisit's tables are tables and DB tackles IP tables doesn't come as standard on some systems to the first thing I'll do is install some Hydra women are downloading and installing IP tables now we have IP tables installed which reject the default rules are typing pseudo-IP tables Myers L on monastery at pseudo-to exclude this command is a superuser command minus L tells IP tables to list its rules on a sense which request numeric format honestly means verbose so we get as much information as possible with the say that there are three sections listed all with no interest is called the import forward and help change the per chain contains the rules controlling what addresses and polls can be used to data coming into the computer that provides protection against the botnet or hacker trying to break him the forward chain provides rules telling IP tables to take data coming in and pass it straight through to output on outgoing investment court decisions which are switching traffic without the chain has rules controlling what addresses imports data can be sent to controlling the Alp' to make it more difficult from infection or unwanted program to send information from computer out to its collection point demonstrate the use of firewall rules using tax is go ahead and type into Hydra can see myself the Forfar Forfar is now listening to date coming on port for 545 on Scorpio all type and see term of one of 151 4545% this config is the sender on outright fellow universe emergency the best displayed on the council source of data out of Scorpio across the network using the TCP protocol and into Hydra's role say and we can see this terminates both sides of the network connection is now see how we set up firewall rules using IP tables personally will set up a ruling Hydra to block anything coming from Skopje I'll enter pseudo-IP tables minus A impact minus S 10.1.1.15 minus J Rock monastery in the command means a rules appended to the end of the current set of rules on the import charge minus S 10.115 specifies the source IP address for the role which is Scorpio's IP address minus J drop specifies that the action is to drop incoming packets from the RP address of the neck testing now a lot of fellow universe nothing is displayed in Hydra workers control suite to terminate the connection on Scorpio hydrogen terminate or completely blocked communication from Skopje to Hydra at the tables also allows us to block connections personal request port number I can block port 4545 by replacing the rule I just entered using Manasa, with a less restrictive talented pseudo-IP tables minus R" warm manifests 10 to wander on the 15 minus P TCP minus monastery Port Forfar Forfar minus J drop this command replaces the existing no one with a new role to drop any TCP traffic from Scorpio which tries to connect support for 545 the strict rules again or typing pseudo-IP tables -12-10 monastery and we can see the drop on port for five Forfar pottered at the and in the snow once again as before woman trying Support for 545 from Scorpio Hydra blocks the connection that of another listener port 4546 connections accepted and the data is transferred from Scorpio to Hydra before we read the section let's clean up and remove the rovers currently in the import chain using the minus the

Building a simple firewall with iptables

The normal configuration for a firewall is to allow all outgoing traffic Block all incoming connections except the specific protocols we know we want this to a simple firewall using IP tables to do this because IP tables activated commands immediately need to make sure port 22 is allowed before putting a denial novels can be dangerous especially when they deny everything but the lasting re-entry rules. All I want to allow court for 545 from Skopje to access harder any of the connection requests be dropped That surplus firewall rules set by entering for IP tables, pseudo-IP tables minus a output minus J accept this allows all outgoing connection pseudo-IP tables minus a input minus S 10.11.3 minus P TCP minus minus the port 22 minus J accept this rule allows to continue using FSH on port 22 to drive the council pseudo-IP tables minus a input minus S 10.1.1 to 15 minus P TCP minus monastery port 4545 minus J accept this allows Scorpio to connect to Hydra on port 4544 pseudo-IP tables minus a input minus P TCP monastery. This drops all other incoming connection requests whichever configuration we consider we set up three rules on the input chain one rule on temperature protesters rule set also to connect Whistler on .4545 of Hydra will centre it from next From Skopje when I type hello universe and press enter the message is displayed on Hydra support 4545 is still around however listed again using port 4546 Withernsea the connection isn't made from Skopje to Hydra the firewall is blocking okay that's a basic introduction to using IP tables on the limit system to establish a firewall is also the end of the firewall module of this course

#practicalsecurity #ITSecurity