Network security isn’t foolproof and system administrators should also configure host security controls. Learn about the importance and configuration of host-based firewalls and intrusion detection and prevention systems as enterprise security controls.
- [Instructor] Firewalls are an important security control. They act as the security guards of the network, monitoring attempts to start communications and only allowing those connections that match the enterprise security policy. Firewalls follow the Default Deny Principle that says that any network connection that is not explicitly allowed should be blocked. Connections to a computer should only be made when the administrator determines that the connection is necessary to meet business requirements.
Firewalls come in two forms, network firewalls are hardware devices that sit in between two networks and control the connections between those networks. For example, organizations place network firewalls at the borders of their networks, in between that organization's network and the internet. This network firewall forms an important part of the organization's perimeter defense. The network firewall only restricts those connections that pass through the firewall.
Connections between systems on the same network are not restricted by the network firewall, because they don't pass through it. Host-based firewalls work in a similar manner, but are not hardware devices. They are software, normally part of the operating system that sits on an individual work station or server. The host firewall restricts any attempt to connect to that individual computer from any other system on the network. They are an important part of a defense in-depth approach to information security.
We'll take a look at two different firewalls in action. The Windows Firewall on a Windows server, as well as security groups for a Linux server in Amazon Web Services. In both cases we'll create a rule that we'd normally have for a web server. One that allows the outside world to contact the server using either the unencrypted HTTP protocol or the secure HTTPS protocol. Let's start with a Windows server. Here I am in Server Manager, I'm going to go ahead and choose Tools, and then Windows Firewall with Advanced Security.
This is the main console for the Windows Firewall. You'll notice that it has three different types of Profiles here. The Domain Profile includes rules that affect connections from other systems located in the same domain. The Private Profile affects connections from other systems that are on the same network, but not necessarily in the same domain. And then finally, the Public Profile affects any system on the internet anywhere outside that private network. I want to create a rule that allows web server access from the internet, so I'm interested here in creating a Public rule.
Over here on the left side of the window you'll see that we have two different types of rules that we can create, Inbound Rules and Outbound Rules. Inbound Rules restrict connections to a server from the outside, while Outbound Rules affect the connections that the server may make to the outside world. We're interested in allowing inbound access to this web server, so let's go ahead and click on Inbound Rules. Notice that the Windows Firewall comes with predefined rules for a large number of access scenarios. Each of these rules has a checkbox icon next to it indicating whether the rule is active or disabled.
If the icon is green the Firewall is actively enforcing the rule, allowing access to the specified service. If the icon is grey the rule is not active and the Firewall will not allow access to that service. If we scroll down this list a little bit we find the World Wide Web Services rule at the bottom of the list. This is the rule that allows HTTP access on port 80. Notice that the icon is grey, so the server is not currently allow HTTP access.
If I right-click on this rule and then choose Enable Rule the icon changes to green and the Firewall will allow inbound web access using HTTP. I'm also going to go up here to where the secure version of this rule is that notice it says HTTPS Traffic-In. I'm going to enable that rule as well. And then that icon turns green. So I've now created the two Windows Firewall rules required to allow inbound access to the web server running on this device.
And that's how you create Windows Firewall rules. Linux has a number of different host firewalls available as well. For example, the IP Tables firewall works in a manner similar to the Windows Firewall. Let's take a look at another important scenario. The use of firewalls in an infrastructure as a service environment. In this case you don't have any access to the firewalls used by the service provider, so you'll need to use an abstraction to control access to your servers. I have a Linux server here running an Amazon Web Services and I want to allow outside access to the web server running on it.
This line here represents the server and AWS controls server access using a concept known as security groups, which are similar to firewall rules. Let's just switch tabs here to the security group interface and take a look at that. Notice I don't have any security groups now, but I'm going to go ahead and create one. I click the Create Security Group button, and I give my group a descriptive name. Let's say Inbound Web Access. And we'll write a little Description, Allows public web access to my server.
And so far I've created the shell for a security group, but I haven't given it any rules. I'm going to go ahead and click Add Rule and then choose from Type here HTTP. Notice Amazon fills in the rest, TCP Protocol and Port 80 for HTTP, and the Source is Anywhere, I do want to allow the general public to have access to this server, so that's okay. Now I just go and create a second rule, this time for HTTPS. And the rest of the rule, again, fills in. TCP, Port 443, access from Anywhere.
I go ahead and Create this security group and I can then apply it to any server that I need to to allow inbound web access. Remember, host-based firewalls are an important security control, but they're only half the picture. If you also have a network firewall you'll need to create rules on both that allow any needed access. Intrusion Detection and Prevention Systems are another important network security control. IDS and IPS systems monitor network traffic for suspicious activity and, in the case of an Intrusion Detection System, alert administrators to that suspicious activity.
Intrusion Prevention Systems go a step further and actually intervene to block that traffic from entering your network. As with firewalls, IDS and IPS systems come in both network and host-based forms. Unlike firewalls, IDS and IPS capabilities are not commonly found as an operating system component. Organizations that wish to supplement their network-based Intrusion Detection and Prevention Systems must purchase a third-party security software package that implements this technology.
Host-based network security controls are an important complement to traditional network-based controls. They form an important part of an organization's defense in-depth approach to information security.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security