Cybersecurity

Firewall Configuration
 Jump Server
• A jump server is a hardened system on a network specifically used to access devices in a separate
security zone.
• An intermediary device responsible for funneling traffic through firewalls using a supervised
secure channel
• For someone outside the network to access protected resources inside the network, they first
connect to the jump host, and their activities to the internal services are performed via that
connection.
• Because of specific monitoring and hardening, a jump server can act as a safer alternative than
allowing direct outside access.
 Proxy Servers
• Proxy server can be used to filter out undesirable traffic and prevent employees
from accessing potentially hostile websites.
• A proxy server takes requests from a client system and forwards them to the
destination server on behalf of the client
 Proxy Servers - Types
• Forward proxy operates to forward requests to servers based on a
variety of parameters, as described in the other portions of this
section.
• Forward proxies can be used to bypass firewall restrictions, act as a
cache server, and change your IP address (more useful before
widespread adoption of NAT).

• Reverse proxy is typically installed on the server side of a network

connection, often in front of a group of web servers, and intercepts all
incoming web requests.
• It can perform a number of functions, including traffic filtering, Secure
Sockets Layer (SSL)/Transport Layer Security (TLS) decryption, serving
of common static content such as graphics, and performing load
balancing
 Forward Proxy
• In a standard Internet communication, computer A would
reach out directly to computer C, with the client sending
requests to the origin server and the origin server responding
to the client.
• When a forward proxy is in place, A will instead send requests
to B, which will then forward the request to C.
• C will then send a response to B, which will forward the
response back to A.

Why to use ?
To avoid state or institutional browsing restrictions - Some governments, schools, and other organizations use firewalls to
give their users access to a limited version of the Internet. A forward proxy can be used to get around these restrictions, as
they let the user connect to the proxy rather than directly to the sites they are visiting.
To block access to certain content - Conversely, proxies can also be set up to block a group of users from accessing certain
sites. For example, a school network might be configured to connect to the web through a proxy which enables content
filtering rules, refusing to forward responses from Facebook and other social media sites.
To protect their identity online - In some cases, regular Internet users simply desire increased anonymity online, but in
other cases, Internet users live in places where the government can impose serious consequences to political dissidents.
Only the IP address of the proxy server will be visible.
 Reverse Proxy

• Typically all requests from D would go directly to F, and F would

send responses directly to D.
• With a reverse proxy, all requests from D will go directly to E, and E
will send its requests to and receive responses from F.
• E will then pass along the appropriate responses to D.

Load balancing - A popular website that gets millions of users every day may not be able to handle all of its incoming site
traffic with a single origin server. Instead, the site can be distributed among a pool of different servers, all handling
requests for the same site. In this case, a reverse proxy can provide a load balancing solution which will distribute the
incoming traffic evenly among the different servers to prevent any single server from becoming overloaded. In the event
that a server fails completely, other servers can step up to handle the traffic.

Protection from attacks - With a reverse proxy in place, a web site or service never needs to reveal the IP address of their
origin server(s). This makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack.
Instead the attackers will only be able to target the reverse proxy, such as Cloudflare’s CDN, which will have tighter security
and more resources to fend off a cyber attack.
 Firewalls
• A firewall can be hardware, software, or a combination of both whose purpose is
to enforce a set of network security policies across network connections.
• It is much like a wall with a window: the wall serves to keep things out, except
those permitted through the window.

• The heart of a firewall is the set of security policies that it enforces.

• Management determines what is allowed in the form of network
traffic between devices, and these policies are used to build rulesets
for the firewall devices used to filter network traffic across the
network
Firewalls – Where to Place

• Security policies are rules that define what

traffic is permissible and what traffic is to be
blocked or denied.
• These are not universal rules, and many
different sets of rules are created for a single
organization with multiple connections. A web
server connected to the Internet may be
configured to allow traffic only on port 80 for
HTTP and have all other ports blocked, for
example.
• A key to setting security policies for
firewalls is the same as for other
security policies—the principle of least
access: allow only the necessary access
for a function; block or deny all
unneeded functionality.
 Firewalls vs ACLs
In its most basic form, firewalls do the same kinds of work that routers do with ACLs, but firewalls
can perform that packet-filtering function with many more options, as well as perform other
security tasks.
• Like router IP ACLs, match the source and destination IP addresses
• Like router IP ACLs, identify applications by matching their static well-known TCP and UDP ports
• Watch application-layer flows to know what additional TCP and UDP ports are used by a particular flow,
and filter based on those ports
• Match the text in the URI of an HTTP request—that is, look at and compare the contents of what is
often called the web address—and match patterns to decide whether to allow or deny the download of
the web page identified by that URI
• Keep state information by storing information about each packet, and make decisions about filtering
future packets based on the historical state information (called stateful inspection, or being a stateful
firewall)
 Stateful firewall
• The router cannot take the time to gather information about a packet, and then for future
packets, consider some saved state information about earlier packets when making a filtering
decision.
• Because they focus on network security, firewalls do save some information about packets and
can consider that information for future filtering decisions.
• Example: DDoS attacks
1. A DoS attack might attempt thousands or more TCP
connections per second, driving up CPU and RAM use on
the server and eventually overloading the server to the
point that it cannot serve legitimate users.
2. A stateful firewall could be tracking the number of TCP
connections per second—that is, recording state
information based on earlier packets—including the
number of TCP connection requests from each client IP
address to each server address.
 WAF
• Web application firewall (WAF) is a device that performs restrictions based on rules associated
with HTTP/HTTPS traffic.
• By definition, web application firewalls are a form of content filter, and their various
configurations allow them to provide significant capabilities and protections.
• The level of specificity in what can be allowed or blocked can be as precise as “allow Facebook
but block Facebook games.”
• WAFs can detect and block disclosure of critical data, such as account numbers, credit card
numbers, and so on. WAFs can also be used to protect websites from common attack vectors such
as cross-site scripting, fuzzing, and buffer overflow attacks.
 Network structure
• The network infrastructure will include a PfSense
firewall connected with internet and two
networks connected to PfSense.
• Both of the networks (LAN and LAN2) will be
provided with IP addresses by the PfSense
firewall which will act also as a router .

• The DHCP service enabled into PfSense will lease ip addresses for:
• Network A : range from 192.168.10.10 - 192.168.10.100
• Network B : range from 192.168.20.10 - 192.168.20.100
•On each network there is attached one computer, specifically :
• Kali Linux computer with IP address: 192.168.10.10
• Ubuntu computer with IP address: 192.168.20.10
 Preparation of Virtual Lab
• The Virtual Lab will contain a PfSense virtual machine, containing three network adapters. First adapter will
be used for the WAN (to get connected with internet) for that reason its going to be assigned as “Bridge
Adapter”.
• Two other network adapters will be set as Internal Network, inet1 for Network A (LAN1), and inet2 for
Network B (LAN2) specifically.
• Other virtual machines will be set up as Internal Network, inet1 for Kali Linux and inet2 for Ubuntu. Due to
this configuration Kali Linux VM will be part of LAN1 and Ubuntu VM part of LAN2
 PfSense Firewall
• Advantages
 PfSense : Installation and configuration of pfSense
• A fresh copy of pfSense can be downloaded using the official website of pfSense :
https://www.pfsense.org/download/
• It comes with two options, pfSense Community edition which is a free option and the Pro edition available
for a license payment. In this lab a pfSense Community Edition will be used as it includes all necessary tools
to configure and manage the firewall.
• Install the pfSense into VirtualBox using the ISO file by just following simple steps on the screen (more
information: https://www.ceos3c.com/pfsense/install-pfsense-on-virtualbox/)

• Create a Virtual Machine using the parameters:

 PfSense : Installation and configuration of pfSense
Prior to Reboot the system:
1. Unmount the drive using : Devices > Optical Drive >
choose the pfSense iso file.
2. After that click on Reboot button!

• We can start configuring interfaces using option

1. Assign Interfaces and
2. Set Interface(s) IP addresses
• Configuration of Network interfaces should be like
the following image:
 Configuration

• Configure WAN:
1. Set a DHCP or manual IP address for the WAN

• Configuration of LAN :
1. Set an IP address for the LAN: 192.168.10.1
2. Enter the SM bits: 24
3. Answer “y” to the question for enabling DHCP
server on LAN
4. Configure the range: 192.168.10.10 –
192.168.10.100

• Same configuration for the LAN 2 with IP: 192.168.20.10

• Check the configuration of Kali machine, connected with

inet1 (same network as LAN1 interface of pfSense). IP
address will be in the range of 10.10 – 10.100
 Accessing the pfSense firewall using GUI (Graphical User Interface)

• Following the previous steps will make possible the connection between LAN
hosts (Ubuntu and KaliLinux) and the firewall.
• A user-friendly management interface may be used by entering the local IP
address of pfSense connected to the specific LAN (which also serves as Gateway):
• In Ubuntu, access pfSense using the IP address: 192.168.20.1
• In Kali Linux, access pfSense using the IP address: 192.168.10.1

Login
Username: admin
Password: pfsense
 Accessing the pfSense firewall using GUI (Graphical User Interface)

• A myriad of helpful configurations can be done using the GUI of pfSense starting from
changing the view of dashboard to configuration of VPN or snort IDS.
• The image shows the configuration of DHCP server into LAN1 making possible
connection of other devices in this LAN with the firewall.

• Set an available range for each network that doesn’t interfere with the
Subnet (192. 168.10.0), pfSense connected interface IP
address(192.168.10.1) or broadcast address(192.168.10.255), thus the
range could be : 192.168.10.2 – 192.168.10.254 .

Important for the configuration:

In the Interfaces/WAN menu the IPv4 Upstream gateway must be set with
the value of gateway to which the pfSense is connected with internet (i.e.
the ip address of physical router).
LAN1 and LAN2 gateways must be set to “None”.
 Firewall Rules
• Simulation 1: Blocking access