Content deleted Content added
ObserveOwl (talk | contribs) m Reverted edit by 175.144.192.172 (talk) to last version by 2A00:23C6:E382:D001:3E7C:6EAF:157C:207B |
Add firewall Polices |
||
Line 73:
Endpoint-based application firewalls function by determining whether a process should accept any given connection. Application firewalls filter connections by examining the process ID of [[data packets]] against a rule set for the local process involved in the data transmission. Application firewalls accomplish their function by hooking into [[Network socket|socket]] calls to filter the connections between the [[application layer]] and the lower layers. Application firewalls that hook into socket calls are also referred to as socket filters.{{citation needed|date=August 2020}}
== Firewall Policies ==
At the core of a firewall's operation are the policies that govern its decision-making process. These policies, collectively known as firewall rules, are the specific guidelines that determine the traffic allowed or blocked across a network's boundaries. <ref>{{Cite web |title=Policy |url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy |access-date=2024-11-21 |website=docs.paloaltonetworks.com}}</ref><ref>{{Cite web |title=Creating Firewall Policy Rules {{!}} Juniper Networks |url=https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-firewall-policy-rule-creating.html |access-date=2024-11-21 |website=www.juniper.net}}</ref>
Firewall rules are based on the evaluation of network packets against predetermined security criteria. A network packet, which carries data across networks, must match certain attributes defined in a rule to be allowed through the firewall. These attributes commonly include:
* '''Direction''': Inbound or outbound traffic
* '''Source''': Where the traffic originates ([[IP address|IP address, range, network]], or zone)
* '''Destination''': Where the traffic is headed ([[IP address|IP address, range, network]], or zone)
* '''Port''': Network ports specific to various services (e.g., port 80 for [[HTTP]])
* '''Protocol''': The type of network protocol (e.g., [[Transmission Control Protocol|TCP]], [[User Datagram Protocol|UDP]], [[Internet Control Message Protocol|ICMP]])
* '''Applications''': L7 inspection or grouping av services.
* '''Action''': Whether to allow, deny, drop, or require further inspection for the traffic
=== Zones ===
Zones are logical segments within a network that group together devices with similar security requirements. By partitioning a network into zones, such as "[[Operational technology|Technical]]", "[[Wide area network|WAN]]", "[[Local area network|LAN]]", "[[Wide area network|Public]]," "[[Private network|Private]]," "[[DMZ (computing)|DMZ]]", and "[[Wireless network|Wireless]]," administrators can enforce policies that control the flow of traffic between them. Each zone has its own level of trust and is governed by specific firewall rules that regulate the ingress and egress of data.
I typical default is to allow all traffic from LAN to WAN, and to drop all traffic from WAN to LAN.
=== Services ===
In networking terms, services are specific functions typically identified by a network port and protocol. Common examples include HTTP/HTTPS (web traffic) on ports 80 and 443, FTP (file transfer) on port 21, and SMTP (email) on port 25. Services are the engines behind the applications users depend on. From a security aspect, controlling access to services is crucial because services are common targets for exploitation. Firewalls employ rules that stipulate which services should be accessible, to whom, and in what context. For example, a firewall might be configured to block incoming FTP requests to prevent unauthorized file uploads but allow outgoing HTTPS requests for web browsing.
=== Applications ===
Applications refer to the software systems that users interact with while on the network. They can range from web browsers and email clients to complex database systems and cloud-based services. In network security, applications are important because different types of traffic can pose varying security risks. Thus, firewall rules can be crafted to identify and control traffic based on the application generating or receiving it. By using application awareness, firewalls can allow, deny, or limit traffic for specific applications according to organisational policies and compliance requirements, thereby mitigating potential threats from vulnerable or undesired applications.
Application can both be a grouping of services, or a [[OSI model|L7 inspection]].
=== USER ID ===
Implementing firewall rules based on IP addresses alone is often insufficient due to the dynamic nature of user ___location and device usage. <ref>{{Cite web |title=Creating Firewall Policy Rules {{!}} Juniper Networks |url=https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-firewall-policy-rule-creating.html |access-date=2024-11-21 |website=www.juniper.net}}</ref><ref>{{Cite web |title=User-ID |url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id |access-date=2024-11-21 |website=docs.paloaltonetworks.com}}</ref> User ID will be translate to a IP address.
This is where the concept of "User ID" makes a significant impact. User ID allows firewall rules to be crafted based on individual user identities, rather than just fixed source or destination IP addresses. This enhances security by enabling more granular control over who can access certain network resources, regardless of where they are connecting from or what device they are using.
The User ID technology is typically integrated into firewall systems through the use of directory services such as [[Active Directory]], [[Lightweight Directory Access Protocol|LDAP]], [[RADIUS]] or [[TACACS|TACACS+]]. These services link the user's login information to their network activities. By doing this, the firewall can apply rules and policies that correspond to user groups, roles, or individual user accounts instead of purely relying on the network topology.
====== Example of Using User ID in Firewall Rules ======
Consider an school that wants to restrict access to a [[social media]] server from students. They can create a rule in the firewall that utilises User ID information to enforce this policy.
# Directory Service Configuration — First, the firewall must be configured to communicate with the directory service that stores user group memberships. In this case, an [[Active Directory|Active Directory server.]]
# User Identification — The firewall maps network traffic to specific user IDs by interpreting authentication logs. When a user logs on, the firewall associates that login with the user's [[IP address]].
# Define User Groups — Within the firewall's management interface, define user groups based on the directory service. For example, create groups such as "Students".
# Create Firewall Rule:
#* Source: User ID (e.g., Students)
#* Destination: list of [[IP address|IP addresses]]
#* Service/Application: Allowed services (e.g., [[HTTP]], [[HTTPS]])
#* Action: Deny
# Implement Default Allow Rule:
#* Source: [[Local area network|LAN]] zone
#* Destination: [[Wide area network|WAN]] zone
#* Service/Application: Any
#* Action: Allow
With this setup, only users who authenticate and are identified as members of "Students" are deny to access [[social media]] servers. All other traffic, starting from LAN interfaces, will be allowed.
== Most common firewall log types ==
| |||