# Sec+ preparation #11 (cloud computing and firewalls) ## Intro Let’s jump into next day of preparing for SEC+. Before beginning I just want to give credit to Master OTW at [Hackers-Arise](https://www.hackers-arise.com/). I really enjoy how he describes concepts of various topics. Real professional. You can purchase Security+ SY0-701 boot camp [here](https://hackersarise.thinkific.com/courses/security-training) ### About Security+ If you have this certification you say that you're serious about cyber security. It’s challenging and very good for the beginning of career in cybersecurity. ## Cloud Computing * ##### On-demand self-service * Broad network access * Capabilities available over the network * Resource pooling * Flexible * Good example is Amazon [AWS](https://aws.amazon.com/) * Location Independence - that means that you can access it from anywhere on the planet * Customer has no control of exact location of resources * Resources could be storage, processing, memory, network bandwidth and virtual machines. * Rapid elasticity * In some cases automatically, to quickly scale out or in * Appears to be unlimited to the customer * Measured service * They keep track on how many resources you use. It can be according to storage usage, processing usage, bandwidth usage and active user accounts * Metering is usually done using pay-per-use model. * Transparency is when you know exactly for what are you being charged. Usually cloud computing does that. Thin client - it’s a standard computer. Laptop or PC. ### SaaS (Software as a service) model (this topic is always in the exam) * Software resides in the cloud. People can use it. * Accessible through a thin client interface such as a browser. ### PaaS (Platform as a service) * Customer can deploy onto the cloud infrastructure * Only compatible apps can be deployed * Customer has control on application deployed * Customer can control hosting environment configuration ### Iaas (Infrastructure as a service) * Similar to a dedicated server * Customer can install an OS that he wants, also apps * Customer does not control underlying cloud infrastructure * May have limited control on network component Providers has to offer: * Facility * Hardware * Virtualized infrastructure ### Deployment models (will be in exam) * Private Cloud * For one company only * May be managed by company * Community Cloud * Shared by multiple companies * Usually companies with shared concerns * May be managed by company * May be on premise or off premise * Public Cloud * Cloud is made available to general public * Cloud is available to large industry group * Cloud is owned by the organization selling cloud services * Amazon EC2 is a good example * Hybrid cloud * Composed of two or more clouds * Could be a mix of private, community, or public clouds * Each of the cloud are unique entities ### Cloud computing advantages * Qualified Staff * Platform Strength * Availability of resources * Backup and Recovery * Mobile Endpoints * Data concentration * Data Center and Cloud oriented Also an advantage that **if you get hacked**, vendor of the cloud will pay you, it’s their responsibility to defend your structure. They did not protect you. #### Disadvantages * System complexity * Shared Multi-Tenant environment * Internet facing service * All of the things are done via the web. * Loss of control * Lost control over physical aspects * Security and privacy can be a challenge ## Infrastructure security ### Authorization * Access criteria * Roles, groups, location, time * Transaction types * Default to no access - that means that in the beginning you have no access and the access is gathered only when a person needs it. **You start with - nobody has access to everything.** * Access is explicit * Access could be implicit as well * Must fail safe * Fail safe in the logical context is no access * **People have access ONLY if they need it for real. This is THE SAFEST MODEL TO BUILD ORGANIZATION.** * The Need to Know applies * The principle of Least privilege applies as well ### Hardening / Bastion Host Hardening is a process to make the system “harder”. More secure. * Disable Unnecessary Services * Protecting Management Interfaces * Default Passwords Removed * It’s a common method to get into the system * Password Protection * **NEVER STORE IN CLEAR TEXT** * **PATCH** * Disabling unnecessary accounts * Hardening the TCP/IP Stack ##### Why to do hardening? * OS’s are very insecure out of the box * Lower the amount risks * Allow only what is needed for the system role * Remove ALL non essential service * Might require some trail and errors * Will pay off in the long run Turn off the service and see what breaks. ### Checklist for saving time * Based on a consensus of experts * NIST has a [National Checklist Program](https://ncp.nist.gov/repository) * Security Content Automation Protocol (SCAP) * Checklist are being converted to SCAP * Can be applied to a large range of Hardware(**HW**) and Software(**SW**) Checklist are nice because you know what are the best practices. If something happens, you can say that you’ve followed best practices. ### Do not reinvent the wheel There are already some organizations who made checklists and needed information: * [The Center for Internet Security](https://www.cisecurity.org/) - non profit organization. Has many hardening models * [NIST](https://www.nist.gov) ### Hardware Security * Cable locks * Safe * Locking Cabinet * Vault ### Host security on Mobile Devices * Screen lock * Strong password * Device encryption * Remote wiping/sanitation * Voice Encryption * GPS Tracking * Virtualization for testing to avoid host infection * Good malware knows if you’re testing it in virtual system ### Firewall Topics * Rule Based Management * Keep it Simple * Less Rules you have, the easier it is * You must have security policies * Convert the policies to a security architecture * Ockham's Razor (RULE) - principal that the simplest explanation is the best explanation * Rule order will greatly affect performance * Comment your rules for others to understand * Backup your rule base & regularly audit * ACL (Access Control List) * Should be as granular(fine) as possible * Drop unwanted packets instead of Rejecting * Beware of default global properties * Allow Admin access only from trusted IP’s * Give the attacker as little information as possible * Ensure logging is properly configured * Also check what’s leaving your network * Types of Firewalls & Proxies * Personal firewall * Class of firewalls for users workstation * Offers protection from threats * Prevent inbound connections * Protects only one computer versus a network * Can provide integrity checking mechanisms * Allow for very detailed rule base to be created * Should be part of your baseline requirements * Generations of enterprise firewalls * First is Packet filters * Then proxies * Stateful Firewall * Application Firewalls * Network Access Control (**NAC)** or Network Acces Protection (**NAP**) * NAP determines who can access the network * Firewall * It can be implemented in HW or SW * Enforces your security policies on traffic * Similar to a Dumb security guard * Some firewalls inspect all 7 layers of the OSI model * Of course for a good price * Controls the flow of traffic * You must understand their limitation * What does Firewall do? * Controls flow of traffic between networks or hosts * Restrict data flow to & from the internal networks. Also from the internet * Acts as a “traffic cop” * Can provide extensive logging * Could be used as a **NAT** device * Can be used as a VPN device * Could be a Unified Threat Management (**UTM**) - that means it is a master of all trades. * New types: * Web Application Firewall * Application Firewall * Network Access Control (**NAC**) * Also called Network Access Protection (NAP) * A common requirement for firewalls * Inspect incoming connections * NAC Health checs * Latest updates * Configuration settings of security tools above * Elapsed time since the previous malware scan * Packet Filters * Most basic type of firewall * Filter one packet at the time * Fast & Inexpensive * It is not going to tell you if the packet is malicious * Packet filters limitations * Does not detect IP spoofing * Does not provide source authentication * Does not detect IP framentation * Does not detect strange combination of flags * SYN and FIN together * Flood guards * Defense agains DoS or DDoS * Detects ongoing attacks * Automatically attempts to block such attacks * Checks if there are too much traffic * Can identify and attempt to stop SYN flood, Ping flood, Port flood * **Offering these services can make you a lot of money** * Tools of flood guards: * DDoS mitigation appliances * Traffic anomaly detectors * QoS * Intrusion Prevention System * Access Control Lists (ACL) * SYN flood protection * RFC 2827 (must be complied with it) * Network Ingress Filtering * Defeating IP source Spoofing DoS attack * Network Segregation * Used for SCADA systems * Supervisory Control and Data Acquisition * Electricity, Oil and Gas Pipelines, Water utilities * This is the most dangerous part in cyber warfare * Use by the Department of Defense (DoD) * Should be internally by companies ##### Proxy Servers * Creates a gap between internal users & public network * Act as a middle man * Still known as **the most secure** type of firewall * Users MUST go through the proxy * **Proxy is a server which inspects all of the connections.** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749124127217/2fbd41ee-dbd2-4c14-95d7-d1cb5a8adc00.png align="center") ##### Application level proxy * It is the smartest type of proxy * Operates at the Application Layer (7) * Understands the inner working of protocols * Understand syntax * Can be used as an access control tool * May require password ##### Circuit Level Proxy * Also called Generic Proxy * Used when an application proxy cannot be used * Mostly SOCKS as a protocol today * Supported by a limited number of applications * Browsers * Email client * Can act as VPN #### Stateful Packet inspection (SPI) * Intercept packets at the network layer * Monitor the state of connections * SYN, ACK, FIN flags * Can enforce proper three way handshake * Can track connectionless protocols such as UDP * Fast and efficient on inbound traffic * No need to read the whole rule base * Can prevent some probes and attacks * Can restrict commands within protocols #### Application firewall * Newer trend in Stateful Packet Inspection * AKA Deep Packet inspections * Adds basic intrusion detection to SPI * It is next generation firewall * It’s an IDS * Inspects protocols at the application layer * Allow or deny access based on how an application is running ##### Web Security Gateways * Newer technolgy * A for of specialized Application Firewall * Reside in front of web server * Minimize attacks through web browsers * Protect against some of the phishing attempts ##### Unified Threat Management (UTM) All in one Security device * What could go wrong? * It’s a bad idea #### Limitation of Firewall Inspection * Can only work effectively on traffic they can inspect * Cryptography hides the contents of the traffic * SSH, TLS, SSL, IPSEC * Cannot read application data that is encrypted * Sometimes it does not understand tunneled traffic * May not be able to detect internal threats #### Recommendations * NAT is a form of routing and not a type of firewall * Perform granular (very fine) Egress Filtering * Choose a firewall that blocks harmful traffic * Assess your need carefully before choosing * Management of firewalls should be centralized * Change Control must be in place * Always have backup copies of rule base ### Filtering * URL filtering * User will visit malicious or offensive website * Make a whitelist of sites you can visit * You must monitor surfing habit * This is even more important in school with kids * Can filter specific categories * Can enforce policies * Tools * Websense * SurfPatrol * Spam filtering * Antivirus * Software that look for and detect viruses * Viruses distributed via: * Files that are downloaded * Emails * Does not understand high level attacks * Pop-Up blocker * Tool to prevent pop up windows from opening * Feature built within most of browsers today * Allow the user to specifically allow site popup * Content Inspection * Malware inspection